b'COMBINED DNA INDEX SYSTEM\nOPERATIONAL AND LABORATORY\n     VULNERABILITIES\n\n      U.S. Department of Justice\n    Office of the Inspector General\n             Audit Division\n\n         Audit Report 06-32\n             May 2006\n\x0c                         EXECUTIVE SUMMARY\n\n       The Federal Bureau of Investigation (FBI) serves as one of the primary\ncomponents in the Department of Justice\xe2\x80\x99s efforts to further develop the\nnation\xe2\x80\x99s capacity to prevent and control crime and administer justice fairly\nand effectively. The FBI assists in these efforts through various means,\nincluding providing direct technical support to state, local, and tribal law\nenforcement. One of the most powerful law enforcement tools that the FBI\nprovides is the Combined DNA Index System (CODIS), a national\nDNA-profile matching service comprised of databases containing DNA\nprofiles from crime scenes, convicted offenders, and sources involving\nmissing persons.\n\n      DNA, or deoxyribonucleic acid, is a chemical contained in the nucleus\nof a cell that carries the genetic instructions, or blueprint, for making living\norganisms. In the context of criminal investigations, scientists examine the\nDNA that varies widely among people to develop a profile that will be\nuniquely identifying (except in the instance of identical twins). DNA\nanalysis, a relatively new law enforcement tool, can provide compelling\nevidence for solving crimes or exonerating suspects. The FBI began the\nCODIS Program as a pilot project in 1990, allowing participating laboratories\nto compare DNA profiles obtained from crime scenes and convicted offenders\nto generate investigative leads.\n\n      This Office of the Inspector General (OIG) audit report examines\nvarious aspects of CODIS operations and management to discern whether\nvulnerabilities exist in the FBI\xe2\x80\x99s administration of CODIS.\n\n\nBackground\n\n      The FBI implemented CODIS as a database, distributed over three\nhierarchical levels, that enable federal, state, and local crime laboratories to\ncompare DNA profiles electronically. The National DNA Index System,\n(NDIS), which became operational in 1998, is the highest level in the CODIS\nhierarchy. It enables the laboratories participating in the CODIS Program to\ncompare DNA profiles on a national level. Each state maintains a State DNA\nIndex System (SDIS), and participating local laboratories across the country\neach maintain a Local DNA Index System (LDIS). DNA profiles are entered\ninto CODIS by local and state laboratories, which then flow to the state and\nnational levels where they are compared to determine if a convicted offender\ncan be linked to a crime, if crimes can be linked to each other, or if missing\nor unidentified persons can be identified.\n\x0c       The CODIS Program is operated by the CODIS Unit, within the FBI\nLaboratory Division, Scientific Analysis Section, Forensic Analysis Branch.\nThe CODIS Unit is charged with overseeing CODIS and NDIS operations and\nadministration, and ensuring that those operations comply with applicable\nlegislated requirements.\n\n      As of November 2005, 175 laboratories were participating in NDIS.\nThese laboratories collectively uploaded nearly 2.9 million profiles to NDIS,\nincluding:\n\n   \xe2\x80\xa2   2,743,068 convicted offender profiles;\n\n   \xe2\x80\xa2   123,835 crime scene (forensic) profiles;\n\n   \xe2\x80\xa2   1,481 relatives of missing person profiles;\n\n   \xe2\x80\xa2   621 unidentified human remains profiles; and\n\n   \xe2\x80\xa2   269 missing person profiles.\n\n      The success of CODIS is measured primarily through the number of\ncases that CODIS assists through a \xe2\x80\x9chit\xe2\x80\x9d (a match between DNA profiles\nproduced by CODIS that would not otherwise have been developed), also\nreferred to as \xe2\x80\x9cinvestigations aided.\xe2\x80\x9d Through November 2005, CODIS aided\n29,666 investigations in 49 states and 2 federal laboratories.\n\n\nPrior Audits of CODIS\n\n       The OIG previously conducted an audit to determine the extent of\nstate and local laboratory participation in CODIS, particularly for those\nentities receiving laboratory grants, and to evaluate the FBI\xe2\x80\x99s\nimplementation and monitoring of CODIS. 1 As part of that audit, we\nreviewed eight individual laboratories to determine their compliance with\napplicable statutes and FBI standards. 2 That audit report, issued in 2001,\nconcluded that:\n\n\n\n\n       1\n       Department of Justice, Office of the Inspector General. Audit Report No. 01-26,\nThe Combined DNA Index System, September 2001.\n       2\n         Of the eight laboratories, three were in Florida and one each in California, Illinois,\nNorth Carolina, Pennsylvania, and Virginia. See Appendix V, \xe2\x80\x9cFY 2000\xe2\x80\x9d list, for further\ndetails.\n\n                                             - ii -\n\x0c     \xe2\x80\xa2   The FBI needed to improve its oversight of CODIS-participating\n         laboratories to ensure the laboratories were in compliance with\n         applicable legislation, the FBI\xe2\x80\x99s Quality Assurance Standards (QAS), and\n         the FBI requirements for laboratories participating in NDIS.\n\n     \xe2\x80\xa2   The FBI needed to initiate procedures to ensure that DNA profiles in\n         CODIS are complete, accurate, and allowable.\n\nAs a result of these findings, we made the following recommendations to the\nFBI:\n\n     \xe2\x80\xa2   Require that the accuracy, completeness, and allowability of the DNA\n         profiles in NDIS be routinely verified through audits or other means.\n\n     \xe2\x80\xa2   Ensure that analysts performing DNA testing at laboratories uploading\n         DNA profiles to NDIS are aware of the NDIS participation\n         requirements, particularly those requirements delineating the types of\n         allowable profiles.\n\n     \xe2\x80\xa2   Develop and implement a process to ensure that laboratories\n         adequately resolve all deficiencies noted during the QAS-required\n         audits.\n\n      Since the issuance of the 2001 audit report, the OIG has completed an\nadditional 24 CODIS laboratory audits. 3 This audit report follows up on our\nprevious report and assesses the FBI\xe2\x80\x99s administration of CODIS operations.\n\n\nAudit Approach\n\n     This audit was designed to assess the status of CODIS operations and\nCODIS trends and vulnerabilities. The specific objectives of the audit were\nto:\n\n1.       assess the adequacy of the FBI\xe2\x80\x99s administration of CODIS, including its\n         oversight of NDIS;\n\n2.       analyze findings from DNA laboratory audits, both OIG-conducted\n         audits and external quality assurance audits, to determine if they\n         reveal trends and vulnerabilities; and\n\n\n\n         3\n             See Appendix V for a complete listing of the CODIS laboratory audits conducted by\nthe OIG.\n\n                                              - iii -\n\x0c3.     evaluate the FBI\xe2\x80\x99s implementation of corrective actions in response to\n       findings from the OIG\xe2\x80\x99s September 2001 audit, The Combined DNA\n       Index System.\n\n      To accomplish these objectives, we reviewed various data and\ndocumentation provided to us by FBI officials, evaluated the results of past\nOIG CODIS laboratory audits, interviewed members of the CODIS Unit staff,\nand collected and analyzed documentation from select NDIS-participating\nlaboratories.\n\n      Additionally, to obtain the viewpoints of state and local\nNDIS-participating laboratories, we surveyed CODIS administrators at those\nlaboratories (not including the FBI).\n\n\nSummary of OIG Findings\n\n      We identified several recommendations for the FBI to: (1) improve its\nadministration of CODIS, (2) track and respond to CODIS trends and\nvulnerabilities, and (3) improve or complete its corrective action to our 2001\naudit, as summarized in the following sections.\n\n\nFBI Administration of CODIS\n\n       The FBI received an overall positive evaluation of its administration of\nCODIS from the CODIS administrators we surveyed. We determined that\nthe FBI also has given attention to CODIS infrastructure, development, and\nstaffing. However, based on our analysis of the survey responses and FBI\ndocumentation, we have identified several areas in need of further\nimprovement. For example:\n\n1.     QAS compliance within the CODIS community can be improved and\n       workloads reduced if the FBI ensures that all CODIS administrators\n       receive QAS auditor training; 4\n\n2.     CODIS Unit responsiveness can be improved through sufficient staffing\n       and tracking of information requests;\n\n\n\n\n       4\n          The FBI conducts training courses for auditors assessing compliance with the QAS\nwithin the DNA community. The primary focus of these courses is to ensure a consistent\nunderstanding of the QAS and consistent application of the FBI\'s audit document.\n\n                                          - iv -\n\x0c3.     CODIS community understanding and compliance with profile\n       allowability restrictions can be enhanced through increased emphasis\n       on written sources of guidance available to all CODIS users;\n\n4.     NDIS Audit Review Panel (Review Panel) timeliness can be improved if\n       guidance is disseminated to the appropriate members of the\n       community, who can ensure that submissions to the Review Panel are\n       complete; 5 and\n\n5.     The FBI can improve information sharing through better use of the\n       CODIS intranet website to disseminate written guidance to the\n       community that is easy to navigate, consistent, and practical.\n\n       In addition, from our review of historical staffing data, we found that in\nthe several years prior to 2004, the FBI failed to staff the CODIS Unit\ncommensurate with growing demands and participation, and thereby put at\nrisk the ability of CODIS staff to properly oversee and administer the CODIS\nProgram. However, in February 2004, FBI management took action to\nincrease CODIS staffing and reaffirm the importance of a sufficient number\nof program manager positions. Yet, progress in filling the positions assigned\nto the CODIS Unit has been limited due to a variety of delays and difficulties.\nOf particular concern is the on-going lack of an NDIS Program Manager,\nespecially in light of the trends and vulnerabilities we identify in our report\nrelated to the compliance of NDIS-participating laboratories with standards\ngoverning participation. Therefore, we recommend that the FBI make\nconcerted efforts to bring the CODIS Unit up to full staffing levels.\n\n       Further, in the written documents provided to us, the FBI appears to\ncapture the mission, goals, objectives, strategies, and performance\nmeasurements for the CODIS Unit. These documents are interlinked in a\nway that allows the performance measurements to be meaningful and\nmeasurable. However, we identified three activities which are not reflected\nin the CODIS Unit\xe2\x80\x99s performance measurements that are an essential part of\nthe Unit accomplishing its mission: (1) auditing of NDIS data; (2) providing\ntraining on QAS compliance; and (3) overseeing the activities of the Review\nPanel. These three activities comprise the CODIS Unit\xe2\x80\x99s primary means of\nmonitoring and assisting NDIS-participants\xe2\x80\x99 compliance with the QAS and\nverifying the integrity of NDIS data. Consequently, we recommend that\nthese three activities should be formalized and clearly reflected as the\n\n       5\n          The NDIS Audit Review Panel is a group of volunteer members of the DNA\ncommunity who meet specific requirements, as well as FBI DNA staff members. The panel\nreviews all external QAS audits conducted at NDIS-participating laboratories across the\ncountry, with the purpose of ensuring consistent and thorough application of the QAS by the\nauditors and appropriate and complete corrective action by the laboratories.\n\n                                           -v-\n\x0cCODIS Unit\xe2\x80\x99s responsibilities in its objectives and performance\nmeasurements.\n\n       The FBI has taken measures to provide for the operations,\nmaintenance, and security of the CODIS system for the near future.\nHowever, continued progress is needed to ensure that the development\ncontract process planned for fiscal year (FY) 2006 is completed, and that the\ndevelopment contract awarded allows for continued responsiveness to\nlegislated changes to CODIS operations.\n\n\nTrends and Vulnerabilities in the CODIS Community\n\n       In assessing the results of the OIG CODIS laboratory audits completed\nin FY 2004 and FY 2005 (a total of 18 audits), we found that common\nfindings occurred with greatest frequency in the two areas of review that are\nnot audited by QAS auditors within the DNA community: compliance with\nNDIS participation requirements and the proper upload of forensic profiles to\nNDIS. Further, the FBI does not intend to have CODIS Unit auditors, once\nhired, routinely audit compliance with NDIS requirements. Instead, the FBI\nrelies upon the annual CODIS user certifications as the primary means of\nensuring the compliance of NDIS data. 6 From the trends we noted, we\nconcluded that this reliance is insufficient, for the following reasons.\n\n   \xe2\x80\xa2   We noted 13 incidents where forensic profiles in NDIS violated some\n       aspect of NDIS requirements. This occurred in 11 of the\n       18 laboratories we audited, and suggests that the annual certification\n       forms have not been successful in ensuring CODIS user compliance\n       with profile allowability restrictions.\n\n   \xe2\x80\xa2   We found that 6 of 18 laboratories we audited had not completed the\n       annual user certification forms as required. The forms are completed\n       by laboratories on a self-certification basis and are not required to be\n       submitted to the FBI.\n\n     In addition to our assessment of the OIG CODIS laboratory audits, we\nexamined 41 state and local external QAS audits conducted by QAS auditors\n\n\n\n       6\n         At the beginning of each calendar year, each laboratory\xe2\x80\x99s CODIS Administrator is\nrequired by NDIS procedures to ensure that each CODIS user is reminded of the categories\nof DNA data accepted at NDIS. As part of that, the CODIS Administrator has individual\nusers certify that they have received their annual reminder and understand and will abide\nby what DNA data is accepted at NDIS.\n\n                                          - vi -\n\x0cwithin the DNA community. 7 We identified trends in findings that implicate\nsignificant aspects of laboratory operations, such as chain-of-custody\ndocumentation; labeling of evidence and security of evidence storage; and\nproper monitoring of critical reagents, equipment, and procedures. Further,\n10 percent of the findings noted were overturned after examination by the\nReview Panel, in some cases without full disclosure of the overturned\nfindings to the audited laboratories. 8 In addition, we determined that the\nFBI is not systematically and completely tracking common and overturned\nfindings. Without a thorough understanding of trends in common findings,\nthe FBI cannot properly provide the CODIS community additional guidance\nneeded to remedy and prevent compliance weaknesses in the trend areas.\nWithout an understanding of trends in overturned findings, the FBI also\ncannot take the necessary steps to guide all QAS auditors toward a\nconsistent interpretation and application of the standards and to ensure that\nQAS auditors obtain feedback on their performance.\n\n       Overall, we believe the weaknesses we identified leave the FBI\npotentially vulnerable to undetected inadvertent or willful non-compliance by\nCODIS participants and consequently could undermine the integrity of the\nCODIS Program. We conclude that the FBI needs to develop internal\ncontrols over compliance of NDIS data beyond its current reliance on the\nannual certification forms, and should track audit findings to obtain the type\nof information that will be beneficial to auditors and audited laboratories.\n\n\nImplementation of Corrective Action\n\n      Previous OIG audit findings identified the need to verify the compliance\nof NDIS data, to ensure NDIS user compliance with NDIS requirements, and\nto ensure that laboratories remedy QAS audit findings.\n\n       The FBI\xe2\x80\x99s corrective action approach to the need to verify NDIS data\nwas two-fold. First, the FBI began requiring FBI QAS auditors to review\nCODIS profiles as part of their case file reviews (this action was initiated in\nJune 2004). Second, the FBI began taking steps to hire auditors who would\nsystematically audit the profiles contained in NDIS. In assessing this action,\nwe determined that the FBI QAS auditor methodology for reviewing profiles\nis deficient due to its limited scope. In addition, the FBI does not intend to\n\n       7\n       We use the term \xe2\x80\x9cQAS auditors\xe2\x80\x9d to refer to the scientists within the DNA\ncommunity who perform QAS audits.\n       8\n           The Review Panel overturns a finding when it determines that the finding was not\njustified based upon the commonly accepted interpretation of the QAS. Often, for this to\noccur, the audited laboratory must challenge the finding before the Review Panel.\n\n                                           - vii -\n\x0chave the CODIS Unit auditors, once hired, expand the current methodology\nto include broader profile reviews. Further, the FBI has not implemented a\nmechanism to document and track how many profiles are confirmed during\nthese reviews, or the frequency with which these reviews are conducted.\n\n       To address the need to ensure NDIS user compliance with NDIS\nrequirements, the FBI instituted a requirement for annual CODIS user\ncertifications, completed on a self-certification basis. However, the process\nfor completing these forms does not provide the FBI with the information it\nneeds to confirm that all CODIS users have completed the forms as\nrequired. Further, the continued reliance on self-certification perpetuates\nthe weakness we noted in the 2001 audit.\n\n      Finally, the FBI implemented various corrective action measures in\nresponse to the need for greater oversight of QAS compliance and the\nadequacy of laboratories\xe2\x80\x99 responses to QAS audit findings. These measures\nincluded conducting QAS auditor training courses, implementing a DNA\ncommunity-wide audit document, and creating the Review Panel to ensure\ncomplete and appropriate corrective action to QAS audit findings. However,\nwe identified the need for improved Review Panel timeliness and improved\nconsistency in training through an emphasis on written guidance.\n\n\nConclusion and Recommendations\n\n       We found that while the FBI has made improvements to several\naspects of CODIS operations, the FBI needs to make further improvements\nto ensure that it properly oversees the CODIS Program and CODIS\nparticipants. Further, we identified several opportunities for data tracking\nand information sharing that would enable the FBI to better assist the\nCODIS community in its understanding of and compliance with the QAS and\nNDIS participation requirements.\n\n      Accordingly, we made 22 recommendations for corrective actions that\nare needed for the FBI to improve its administration of CODIS. Among these\nrecommendations are for the FBI to:\n\n   \xe2\x80\xa2   Develop and implement a plan to ensure that all CODIS administrators\n       attend the FBI QAS auditor training.\n\n   \xe2\x80\xa2   Improve information sharing through enhancements to the CODIS\n       website.\n\n\n\n\n                                    - viii -\n\x0c\xe2\x80\xa2   Develop communication policies that will allow the CODIS Unit to\n    provide guidance to members of the DNA community in writing.\n\n\xe2\x80\xa2   Develop a staffing plan that identifies current hindrances to filling\n    vacant positions in the CODIS Unit, solutions to those hindrances, and\n    a timeline of action.\n\n\xe2\x80\xa2   Incorporate the three activities we identified (auditing of NDIS\n    data, providing training on QAS compliance, and overseeing the\n    activities of the Review Panel) into the CODIS Unit\xe2\x80\x99s objectives and\n    measurements to fully reflect the CODIS Unit\xe2\x80\x99s efforts to address its\n    mission.\n\n\xe2\x80\xa2   Ensure that the internal controls over the compliance of NDIS data are\n    strengthened beyond the current reliance on self-certification annual\n    reminder forms.\n\n\xe2\x80\xa2   Implement a formal mechanism for tracking findings in audits\n    reviewed by the NDIS Audit Review Panel and for tracking QAS auditor\n    performance.\n\n\n\n\n                                  - ix -\n\x0c                               TABLE OF CONTENTS\n\nINTRODUCTION ................................................................................ 1\n\n       CODIS Development and Design ................................................... 1\n\n       CODIS Contents and Growth ........................................................ 2\n\n       CODIS Management and Measurements......................................... 8\n\n       Prior Reviews ........................................................................... 10\n\n       Audit Approach ......................................................................... 12\n\nFINDINGS AND RECOMMENDATIONS.............................................. 14\n\nI.     FBI\xe2\x80\x99S ADMINISTRATION OF CODIS NEEDS IMPROVEMENT .... 14\n\n       Administrator Survey Identifies Opportunities for Improvement....... 14\n\n       Inadequate CODIS Unit Staffing.................................................. 29\n\n       Additional Performance Measurements Needed.............................. 34\n\n       Current Progress on CODIS Infrastructure .................................... 39\n\n       Recommendations..................................................................... 44\n\nII.    TRENDS AND VULNERABILITIES REVEALED THROUGH\n       AUDIT RESULTS ..................................................................... 46\n\n       Need for Additional Verification of Compliance with\n       NDIS Requirements................................................................... 46\n\n       Flaws in the FBI\xe2\x80\x99s Oversight of QAS Audits ................................... 48\n\n       Recommendations..................................................................... 53\n\nIII.   ADDITIONAL CORRECTIVE ACTION NEEDED TO ADDRESS\n       PREVIOUS FINDINGS ............................................................. 55\n\n       Verifying the Compliance of Data in NDIS..................................... 55\n\n       Continued Reliance on Self-certification........................................ 57\n\n       Improvement in Oversight of QAS Audits ..................................... 57\n\x0c      Recommendations..................................................................... 62\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ...... 64\n\n      DNA Identification Act of 1994 .................................................... 64\n\n      Justice for All Act of 2004........................................................... 64\n\nSTATEMENT ON INTERNAL CONTROLS............................................ 66\n\nAPPENDIX I        \xe2\x80\x93 OBJECTIVES, SCOPE, AND METHODOLOGY ...........67\n\nAPPENDIX II \xe2\x80\x93         LIST OF SURVEYED LABORATORIES .....................73\n\nAPPENDIX III \xe2\x80\x93 AUDIT CRITERIA ..................................................82\n\nAPPENDIX IV \xe2\x80\x93 AUDIT CRITERIA FOR CODIS\n              LABORATORY AUDITS ..........................................87\n\nAPPENDIX V        \xe2\x80\x93   DOJ OIG CODIS LABORATORY AUDITS\n                      FYs 2000 \xe2\x80\x93 2006.................................................. 93\n\nAPPENDIX VI \xe2\x80\x93 CODIS USER ANNUAL REMINDER FORM................96\n\nAPPENDIX VII \xe2\x80\x93 OIG CODIS ADMINISTRATOR SURVEY ..................98\n\nAPPENDIX VIII \xe2\x80\x93 FBI RESPONSE TO DRAFT REPORT......................130\n\nAPPENDIX IX \xe2\x80\x93 OIG ANALYSIS AND SUMMARY OF ACTIONS\n              NECESSARY TO CLOSE THE REPORT....................143\n\x0c                                 INTRODUCTION\n\nCODIS Development and Design\n\n      The Federal Bureau of Investigation (FBI) has provided the law\nenforcement community with the Combined DNA Index System (CODIS), a\nnational DNA-profile matching service comprised of databases containing\nDNA profiles from crime scenes, convicted offenders, and missing persons.\n\n       CODIS began as a pilot project in 1990. The DNA Identification Act of\n1994 formalized the FBI\xe2\x80\x99s authority to establish a National DNA Index\nSystem (NDIS) for law enforcement purposes and NDIS became operational\nin 1998. 1 The Act authorized the FBI to establish an index of DNA\nidentification records of persons convicted of crimes, and analyses of DNA\nsamples recovered from crime scenes and from unidentified human remains.\nThe Act further specified that the index include only DNA information that is\nbased on analyses performed in accordance with the FBI\xe2\x80\x99s Quality Assurance\nStandards (QAS).\n\n       The FBI implemented CODIS as a database with three hierarchical\nlevels that enables federal, state, and local crime laboratories to compare\nDNA profiles electronically. As illustrated on the following page, the three\ndistinct levels are: NDIS, managed by the FBI as the nation\xe2\x80\x99s DNA database\ncontaining DNA profiles uploaded by participating states; the State DNA\nIndex System (SDIS), serving as each state\xe2\x80\x99s DNA database containing DNA\nprofiles from local laboratories; and the Local DNA Index System (LDIS),\nused by local laboratories. DNA profiles originate at the local or state level\nand flow upward to the state (if from the local level) and national levels. For\nexample, the local laboratory in the Palm Beach, Florida, Sheriff\xe2\x80\x99s Office\nsends its profiles to the state laboratory in Tallahassee, which then uploads\nthe profiles to NDIS. A laboratory\xe2\x80\x99s profiles need to be uploaded to NDIS\nbefore they benefit the system as a whole.\n\n      NDIS is the highest level in the CODIS hierarchy and enables the\nlaboratories participating in the CODIS Program to compare DNA profiles on\na national level. Each state participating in CODIS has one designated SDIS\nlaboratory. The SDIS laboratory maintains its own database and is\nresponsible for overseeing NDIS communications for all CODIS-participating\nlaboratories within the state.\n\n\n\n\n      1\n          Pub. L. No. 103-322 (1994).\n\n                                        -1-\n\x0c          Figure 1 \xe2\x80\x93 Example of System Hierarchy within CODIS 2\n\n\n                                               NDIS\n\n\n\n\n SDIS                            SDIS                             SDIS\n Laboratory                      Laboratory                       Laboratory\n Richmond, CA                    Springfield, IL                  Tallahassee, FL\n\n\n\n                                   LDIS Laboratories (partial list):\n                                   DuPage County Sheriff\xe2\x80\x99s Office\n                                   Illinois State Police, Chicago\n                                   Illinois State Police, Rockford\n\n  LDIS Laboratories (partial list):                       LDIS Laboratories (partial list):\n  Orange County Sheriff\xe2\x80\x99s Department                      Broward County Sheriff\xe2\x80\x99s Office\n  San Bernardino County Sheriff\xe2\x80\x99s Department              Miami-Dade Police Department\n  San Diego Police Department                             Palm Beach Sheriff\xe2\x80\x99s Office\n\n\nSource: OIG analysis of CODIS system hierarchy\n\n       The FBI has distributed CODIS software free of charge to state or local\nlaw enforcement laboratory performing DNA analysis. Before a laboratory is\nallowed to participate at the national level and upload DNA profiles to NDIS,\na Memorandum of Understanding (MOU) must be signed between the FBI\nand the applicable state\xe2\x80\x99s SDIS laboratory. The MOU defines the\nresponsibilities of each party, includes a sublicense for the use of CODIS\nsoftware, and delineates the standards that laboratories must meet in order\nto utilize NDIS. Although officials from LDIS laboratories do not sign an\nMOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory are\nrequired to adhere to the MOU signed by the SDIS laboratory.\n\n\nCODIS Contents and Growth\n\n      As of November 2005, NDIS contained nearly 2.9 million profiles in the\nfollowing five indices (or databases): (1) the Convicted Offender database,\n(2) the Forensic database, (3) the Unidentified Human Remains database,\n(4) the Missing Persons database, and (5) the Relatives of Missing Persons\n\n      2\n         The Department of Justice Office of the Inspector General developed this system\nhierarchy example using information obtained from the FBI.\n\n\n\n                                               -2-\n\x0cdatabase. The first two databases work together to form CODIS\xe2\x80\x99 crime-\nsolving capabilities, since they can be searched against one another to assist\nlaw enforcement personnel in solving crimes. The remaining three\ndatabases can be searched against one another in order to identify missing\nand unidentified persons.\n\n       The Convicted Offender database contains DNA profiles from persons\nconvicted of qualifying federal or state crimes where the applicable\njurisdiction requires the creation of a DNA record for the convicted person.\nThe Forensic database contains DNA profiles from persons whose identity is\nnot known with certainty; these DNA profiles come from evidence either left\nat or removed from a crime scene. The DNA profiles in the two databases\nare compared to determine if a convicted offender can be linked to a crime\nor if crimes can be linked to each other.\n\n       The Unidentified Human Remains database contains DNA profiles from\nthe remains of individuals that cannot be identified by fingerprint, dental,\nmedical, or anthropological examinations, and of individuals who are living,\nbut are unidentifiable using typical investigative methods (such as children\nand others who cannot or refuse to identify themselves). The Relatives of\nMissing Persons database contains DNA profiles generated from the relatives\nof known missing individuals, while the Missing Persons database contains\nDNA records of missing persons obtained from their effects or deduced from\ntheir relatives\xe2\x80\x99 profiles. Profiles in these two databases are compared to\nDNA profiles from unidentified remains or unidentified individuals in an\nattempt to make an identification.\n\n       CODIS has been expanded through various means since NDIS first\nbecame operational in 1998, as described below. Laws governing which\nprofiles can be included in NDIS have expanded at both state and federal\nlevels, creating additional databases within CODIS. Further, the number of\nparticipating and contributing laboratories has grown significantly. These\nfactors have caused the number of profiles in NDIS to increase dramatically.\n\n\nExpanding Federal Legislation\n\n      The DNA Identification Act of 1994 authorized the FBI to establish\nNDIS but did not authorize the collection of DNA samples from federal\noffenders. Enactment of the DNA Analysis Backlog Elimination Act of 2000\nremedied this by authorizing collection of DNA samples from federal\noffenders and from those who commit qualifying crimes in the District of\n\n\n\n\n                                    -3-\n\x0cColumbia, the military, and on tribal reservations. 3 Additionally, in response\nto the events of September 11, 2001, the USA Patriot Act of 2001 expanded\nthe list of offenses for which offender samples would be collected to include\nacts of terrorism and all crimes of violence. 4\n\n      The Justice for All Act, signed into law on October 30, 2004, authorized\nthe FBI to expand NDIS to include an additional index for DNA profiles of\nindicted persons. 5 As a result, those state and local laboratories located in a\nstate where the law authorizes the collection of DNA samples from indicted\npersons may include the DNA profiles of indicted persons in NDIS.\nAccordingly, the FBI added the Indicted Persons Index to NDIS in January\n2005. The Act also required the state to have expungement procedures in\nplace for removing the implicated profiles in the event that charges are\ndismissed or prosecution of the charges results in an acquittal. In addition,\nthe Act expanded the list of offenses that require collection of a DNA sample\nwhen committed in the District of Columbia, the military, and on tribal\nreservations to include all felony and comparable military offenses.\n\n       The Justice for All Act also authorized the FBI to permit\nNDIS-participating laboratories to perform a one-time search of certain DNA\nprofiles, which were not allowed to be stored in NDIS, against NDIS\ndatabases. Specifically, NDIS-authorized users \xe2\x80\x9cmay also access that index\n[NDIS] for purposes of carrying out a one-time keyboard search on\ninformation obtained from any DNA sample lawfully collected for a criminal\njustice purpose except for a DNA sample voluntarily submitted solely for\nelimination purposes.\xe2\x80\x9d The Act further defines keyboard searches as \xe2\x80\x9ca\nsearch under which information obtained from a DNA sample is compared\nwith information in the index [NDIS] without resulting in the information\nobtained from a DNA sample being included in the index [NDIS].\xe2\x80\x9d\n\n       The FBI concluded that \xe2\x80\x9cDNA samples lawfully obtained for a criminal\njustice purpose\xe2\x80\x9d included: (1) DNA samples obtained by a state in\naccordance with applicable state law that are not otherwise authorized for\ninclusion in NDIS, such as an arrestee sample; or (2) DNA samples obtained\nby a state or relevant law enforcement agency in accordance with a judicial\ncourt order, such as a suspect exemplar obtained pursuant to court order.\n\n      Finally, on January 5, 2006, the DNA Fingerprint Act of 2005 was\nsigned into law, and further changed the scope of NDIS as follows:\n\n      3\n          Pub. L. No. 106-546 (2000).\n      4\n          Pub. L. No. 107-56 (2001).\n      5\n          Pub. L. No. 108-405 (2004).\n\n                                        -4-\n\x0c   \xe2\x80\xa2   Federal arrestee profiles can be submitted to NDIS.\n\n   \xe2\x80\xa2   Federal detainee profiles can be submitted to NDIS.\n\n   \xe2\x80\xa2   States with legislation authorizing collection of arrestee profiles can\n       submit those profiles to NDIS.\n\n   \xe2\x80\xa2   The responsibility for initiating expungement procedures for profiles in\n       the indicted persons index was reassigned to the person whose\n       charges were dismissed or not prosecuted.\n\n   \xe2\x80\xa2   These changes eliminated the need for the one-time search provision\n       authorized by the Justice for All Act of 2004, because many of the\n       profiles that could have been searched using that provision can now be\n       added directly to NDIS for routine searches.\n\nAccording to the CODIS Unit Chief, in January 2006, the FBI assessed the\nimplications of this new law, and made changes to the NDIS procedures to\nreflect this expansion of NDIS. As a result of this new law, and in\nconjunction with additional administrative changes, the following indices\nwere added to NDIS in January 2006:\n\n   \xe2\x80\xa2   Arrestee Index, which consists of DNA records of persons who have\n       been arrested or indicted or charged in an information with a crime\n       and are required by law to provide DNA samples. This index replaces\n       the Indicted Persons Index created in 2005 as a result of the Justice\n       for All Act.\n\n   \xe2\x80\xa2   Legal Index, which consists of DNA records of persons whose DNA\n       samples are collected under applicable legal authorities, when the\n       resulting profiles do not belong in one of the other index categories.\n\n   \xe2\x80\xa2   Spouse Index, which consists of the DNA records of a presumptive\n       parent of a common child of a missing person. These records will help\n       deduce the profile of a missing parent when the child\xe2\x80\x99s DNA profile is\n       available.\n\n\nExpanding State Legislation\n\n       Individual states also have gradually expanded legislation, particularly\nas it pertains to the offenses for which, if convicted, a person must supply a\nDNA sample to that state\xe2\x80\x99s CODIS convicted offender database. States also\nhave moved toward requiring a DNA sample from all convicted felons, rather\n\n                                       -5-\n\x0cthan limiting their collections to offenders convicted of sexual or violent\noffenses. Figure 2 displays three snapshots, showing the dramatic increase\nin offender DNA sample collection legislation across the United States.\n\n            Figure 2 \xe2\x80\x93 Expansion of State Legislation Governing\n                      Offender DNA Sample Collection\n\n\n   1999 - 6 States                 2002 - 21 States                2005 \xe2\x80\x93 43 States\n\n\n\n\n        = States that began collecting DNA from all convicted felons previously\n        = States that began collecting DNA from all convicted felons in the year shown\n\nSource: Smith Alling Lane, a professional services corporation\n\nThese legislative expansions at the state level have resulted in a dramatic\nincrease through the years in the NDIS offender DNA database, as shown on\npage 7.\n\n\nIncreasing Number of CODIS Participants\n\n       Another means of expansion to NDIS has been the increasing number\nof participating and contributing state and local laboratories. For example,\nin May 1999, 32 laboratories in 12 states and 1 federal agency (the FBI)\nparticipated in NDIS. At the start of our audit in May 2005, 176 laboratories\nin 50 states and 2 federal agencies (the FBI and the Army) participated in\nNDIS. 6 These numbers translate to a 450-percent increase in the number of\nNDIS-participating laboratories in a 6-year period.\n\n      Within these numbers is a secondary area of increase in the number of\ncontributing NDIS laboratories. For a variety of reasons, not every\n\xe2\x80\x9cparticipating\xe2\x80\x9d laboratory was able to immediately contribute profiles to\n\n\n\n       6\n         These statistics reflect the fact that one laboratory that participated in NDIS in the\npast was suspended pending facility renovation or relocation.\n\n                                             -6-\n\x0cNDIS in the past. 7 For example, as of May 1999, only 10 of 12 participating\nstates had contributed offender DNA profiles to NDIS, and only 28 of\n32 laboratories had contributed forensic DNA profiles to NDIS. However, as\nof May 2005, all 176 NDIS-participating laboratories had contributed profiles\nto NDIS.\n\n\nIncreasing Number of Profiles in NDIS\n\n       The preceding factors of expansion, including federal and state\nlegislation and increasing numbers of participants, have caused a dramatic\nincrease in the number of profiles contained in the NDIS databases. The\nfollowing figures and data demonstrate the increases observed.\n\n                           Figure 3 \xe2\x80\x93 NDIS Offender Database\n                               Cumulative Totals by Year\n\n\n                    3.0\n\n                    2.5\n\n\n\n\n                                                                              2.7\n      In Millions\n\n\n\n\n                    2.0\n\n                    1.5                                           2.0\n                                                       1.5\n\n\n\n\n                    1.0\n                                            1.2\n                                  0.8\n\n\n\n\n                    0.5\n                           0.5\n\n\n\n\n                    0.0\n                          2000   2001     2002       2003        2004       2005 *\n      * through November 2005\n                                        Offender Profiles\n     Source: FBI CODIS Unit Chief\n\n      Figure 3 illustrates the significant increase from less than\n500,000 profiles in 2000 to over 2.7 million profiles by November 2005. Just\nas dramatic is the increase in forensic profiles, from approximately 22,000 in\n2000 to nearly 122,000 by November 2005, as shown in Figure 4.\n\n        7\n         These reasons can include such factors as technology changes, limited laboratory\nresources, or the strain placed upon a laboratory\xe2\x80\x99s productivity by changing legislation.\n\n                                          -7-\n\x0c                           Figure 4 \xe2\x80\x93 NDIS Forensic Database\n                               Cumulative Totals by Year\n\n\n                    140\n                    120\n\n\n\n\n                                                                122\n     In Thousands\n\n\n\n\n                    100\n\n\n\n\n                                                        94\n                     80\n\n\n\n\n                                                 71\n                     60\n                     40\n\n                                         46\n                     20\n                                  28\n                           22\n\n\n\n\n                      0\n                          2000   2001   2002    2003   2004    2005 *\n\n    * through November 2005             Forensic Profiles\n\n    Source: FBI CODIS Unit Chief\n\n\n\nCODIS Management and Measurements\n\n      The FBI\xe2\x80\x99s CODIS Unit has only existed since June 2003, following a\nreorganization within the FBI Laboratory Division. The predecessor of the\nCODIS Unit, the Forensic Science Systems Unit, managed other Laboratory\nDivision databases in addition to the CODIS Program. The reorganization\ntransferred those other databases to the operational unit counterparts to\nwhich they pertained. The Forensic Science Systems Unit, encompassing the\nCODIS Program and NDIS, was transferred from the Forensic Science\nSupport Section, Operational Support Branch to the Scientific Analysis\nSection, Forensic Analysis Branch, effective June 2003. With this transfer\ncame the name change to the CODIS Unit.\n\n      The CODIS Unit is charged with overseeing CODIS and NDIS\noperations and administration and ensuring that those operations comply\nwith applicable requirements. As part of those efforts, the FBI contracted\nwith Scientific Applications International Corporation (SAIC) in 1995 to\ndevelop CODIS software and software upgrades, to provide training and\ntechnical assistance to software users, and to physically maintain and secure\n\n\n\n                                          -8-\n\x0cNDIS. SAIC continues to maintain and operate the CODIS software and\nsystem.\n\n      According to the CODIS Unit Chief, as of November 2005,\n175 laboratories were participating in NDIS. 8 These laboratories collectively\nuploaded nearly 2.9 million profiles to NDIS, of which 96 percent were\nconvicted offender profiles. Specifically, NDIS includes:\n\n   \xe2\x80\xa2   2,743,068 convicted offender profiles;\n\n   \xe2\x80\xa2   123,835 forensic profiles;\n\n   \xe2\x80\xa2   1,481 relatives of missing person profiles;\n\n   \xe2\x80\xa2   621 unidentified human remains profiles; and\n\n   \xe2\x80\xa2   269 missing person profiles.\n\n      The success of CODIS is primarily measured through the number of\ncases that CODIS assists through a \xe2\x80\x9chit\xe2\x80\x9d (a match between DNA profiles\nproduced by CODIS that would not otherwise have been developed), also\nreferred to as \xe2\x80\x9cinvestigations aided.\xe2\x80\x9d Through November 2005, CODIS aided\n29,666 investigations in 49 states and 2 federal laboratories, as shown in\nFigure 6.\n\n\n\n\n       8\n        The decrease of one laboratory from May 2005 is due to the fact that the NDIS\ndatabase was moved to the FBI\xe2\x80\x99s laboratory building, eliminating one of the NDIS sites.\n\n                                          -9-\n\x0c                  Figure 6 \xe2\x80\x93 Investigations Aided by CODIS\n                            As of November 2005\n\n\n\n\n           Source: FBI, December 2005\n\n     The FBI also provides CODIS software to foreign law enforcement\nagencies with DNA capabilities to aid in criminal justice investigations. As of\nNovember 2005, 39 sites in 24 countries had received CODIS software. 9\n\n\nPrior Reviews\n\n       The Department of Justice Office of the Inspector General (OIG)\npreviously conducted an audit to determine the extent of state and local\nlaboratory participation in CODIS, particularly for those entities receiving\nlaboratory grants, and to evaluate the FBI\xe2\x80\x99s implementation and monitoring\nof CODIS. 10 At the time of that audit, the FBI did not have the resources to\ndirectly evaluate laboratory compliance with the QAS and NDIS\nrequirements. Consequently, oversight was limited to self-certification with\nthe QAS and NDIS participation requirements on the part of each laboratory.\nWe deemed self-certifications to present a high risk that FBI management\nwould not detect instances of non-compliance by NDIS-participating\n\n      9\n         The 24 countries are Belgium, Botswana, Canada, Chile, Colombia, Croatia, Czech\nRepublic, Denmark, England, Estonia, Finland, France, Hong Kong, Hungary, Italy,\nNetherlands, Norway, Poland, Portugal, Singapore, Slovakia, Spain, Sweden, and\nSwitzerland.\n      10\n        Department of Justice, Office of the Inspector General. Audit Report No. 01-26,\nThe Combined DNA Index System, September 2001.\n\n                                         - 10 -\n\x0claboratories. Consequently, we audited eight individual laboratories to\ndetermine compliance with applicable standards. 11 The collective results of\nthese efforts were described in the OIG\xe2\x80\x99s 2001 audit report. In that report\nwe concluded that:\n\n   \xe2\x80\xa2   The FBI needed to improve its oversight of CODIS-participating\n       laboratories to ensure the laboratories were in compliance with\n       applicable legislation, the FBI\xe2\x80\x99s quality assurance standards, and the FBI\n       requirements for laboratories participating in NDIS. Our audits of eight\n       state and local laboratories disclosed that four laboratories did not fully\n       comply with the FBI\xe2\x80\x99s quality assurance standards and NDIS participation\n       requirements. Also, we noted that the FBI did not have a process in\n       place to ensure that laboratories instituted appropriate corrective action\n       for findings of quality assurance audits.\n\n   \xe2\x80\xa2   The FBI needed to initiate procedures to ensure that DNA profiles in\n       CODIS are complete, accurate, and allowable. At six of the eight\n       laboratories audited, we found 49 unallowable or incomplete forensic\n       profiles in CODIS out of the 608 forensic profiles reviewed. The\n       unallowable profiles were from a known person other than a suspected\n       perpetrator, such as a victim, an entry that is strictly prohibited from\n       inclusion in CODIS. Further, at 2 of the 8 laboratories we identified\n       6 incomplete or unallowable convicted offender profiles in CODIS out of\n       the 700 convicted offender profiles we reviewed. We found that the\n       unallowable profiles in CODIS were uploaded either inadvertently or\n       because a laboratory did not fully understand the rules governing\n       acceptable profiles.\n\nAs a result of these findings, we made the following recommendations to the\nFBI:\n\n   \xe2\x80\xa2   Require that the accuracy, completeness, and allowability of the DNA\n       profiles in the national index be routinely verified through audits or\n       other means.\n\n   \xe2\x80\xa2   Ensure that analysts performing DNA testing at laboratories uploading\n       DNA profiles to the national index are aware of the NDIS\n       requirements, particularly those requirements delineating the types of\n       allowable profiles.\n\n\n\n       11\n          Of the eight laboratories, three were in Florida and one each in California, Illinois,\nNorth Carolina, Pennsylvania, and Virginia. See Appendix V, \xe2\x80\x9cFY 2000 Audits\xe2\x80\x9d list, for\nfurther details.\n\n                                            - 11 -\n\x0c     \xe2\x80\xa2   Develop and implement a process to ensure that laboratories\n         adequately resolve all deficiencies noted during the QAS-required\n         audits.\n\n      When we issued the report, we considered the status of each\nrecommendation resolved because the FBI and the OIG agreed on the\nfinding noted, and the FBI had planned but not completed its corrective\naction. In resolving the findings, we relied on:\n\n     \xe2\x80\xa2   Documentation that the FBI was working to develop a plan to routinely\n         verify the accuracy, completeness, and allowability of the DNA profiles\n         uploaded to the national index system.\n\n     \xe2\x80\xa2   A draft policy the FBI intended to implement requiring forensic\n         laboratories participating in NDIS to advise DNA analysts of the\n         requirements concerning allowable DNA profiles on an annual basis.\n\n     \xe2\x80\xa2   Documentation that the FBI initiated a program to monitor laboratory\n         quality assurance audits through a review panel of qualified scientists\n         (referred to as the NDIS Audit Review Panel) to verify that the\n         appropriate standards were used and, when applicable, that the\n         laboratory had taken appropriate corrective actions for audit findings.\n\n      Since the issuance of that audit report, the FBI has implemented\nseveral corrective action measures, which are further analyzed in Finding III.\nIn addition, since that time, the OIG has completed an additional 24 CODIS\nlaboratory audits. (See Appendix V for a complete listing of these audits.)\n\n\nAudit Approach\n\n     This audit was designed to determine the present status of CODIS\noperations. The objectives of our audit were to:\n\n1.       assess the adequacy of the FBI\xe2\x80\x99s administration of CODIS, including its\n         oversight of the national DNA database;\n\n2.       analyze findings from DNA laboratory audits, both OIG-conducted\n         audits and external quality assurance audits, to determine if they\n         reveal trends and vulnerabilities; and\n\n3.       evaluate the FBI\xe2\x80\x99s implementation of corrective actions in response to\n         findings from the OIG\xe2\x80\x99s September 2001 audit.\n\n\n\n                                       - 12 -\n\x0c      To accomplish these objectives, we reviewed various data and\ndocumentation provided to us by FBI officials, evaluated the results of past\nOIG CODIS laboratory audits, interviewed members of the CODIS Unit staff,\nand collected documentation from select NDIS-participating laboratories to\nanalyze:\n\n  \xe2\x80\xa2   CODIS unit staffing and responsibilities;\n\n  \xe2\x80\xa2   the accuracy of NDIS Audit Review Panel (Review Panel) records;\n\n  \xe2\x80\xa2   the timeliness of the Review Panel process;\n\n  \xe2\x80\xa2   CODIS program goals, objectives, and measurements;\n\n  \xe2\x80\xa2   CODIS unit oversight and monitoring of participants;\n\n  \xe2\x80\xa2   weaknesses in compliance with QAS or NDIS participation\n      requirements;\n\n  \xe2\x80\xa2   the adequacy of the FBI\xe2\x80\x99s corrective actions to our previous\n      recommendations;\n\n  \xe2\x80\xa2   the FBI\xe2\x80\x99s implementation of legislated changes to NDIS; and\n\n  \xe2\x80\xa2   the FBI\xe2\x80\x99s management of CODIS operations and infrastructure.\n\n      Additionally, to obtain the viewpoints of state and local\nNDIS-participating laboratories, we surveyed CODIS administrators at\nNDIS-participating laboratories (not including the FBI). The results of our\naudit are detailed in the Findings and Recommendations section of this\nreport, and the audit objectives, scope, and methodology are presented in\nAppendix I.\n\n\n\n\n                                    - 13 -\n\x0c                 FINDINGS AND RECOMMENDATIONS\n\nI.     FBI\xe2\x80\x99S ADMINISTRATION OF CODIS NEEDS IMPROVEMENT\n\n       The FBI received an overall positive assessment of its administration of\n       CODIS from the CODIS administrators we surveyed. The FBI has\n       given attention to CODIS infrastructure, development, and staffing.\n       However, based on our analysis of the survey responses and FBI\n       documentation, we have identified several areas in need of further\n       improvement, including improved compliance, responsiveness,\n       timeliness, and information sharing. In addition, the FBI needs to\n       identify the current obstacles that prevent the CODIS Unit from\n       achieving full staffing levels, reflect all activities in its performance\n       measurements, and continue the progress made with the system\n       infrastructure.\n\n\nAdministrator Survey Identifies Opportunities for Improvement\n\n       Each NDIS-participating laboratory is required by the MOU governing\nits participation to have an administrator who oversees CODIS operations at\nthat laboratory. The administrator is the liaison between the FBI and CODIS\nusers and is expected to relay necessary information to aid in compliance\nwith NDIS participation requirements. Consequently, the CODIS\nadministrators have an influential role in the CODIS community and have an\nopportunity to interact with the FBI in a way that would provide them with\nthe experience needed to assist us in assessing the effectiveness of the FBI\xe2\x80\x99s\nadministration of CODIS. As part of our effort to assess the FBI\xe2\x80\x99s\nadministration of CODIS, we conducted a survey of 174 CODIS\nadministrators. 12\n\n       Our analysis of survey results revealed an overall positive assessment\nof the FBI\xe2\x80\x99s administration of CODIS. However, we identified several\nopportunities for improvement. For example: (1) QAS compliance within\nthe CODIS community can be improved and workloads reduced if the FBI\nensures that all CODIS administrators receive QAS auditor training;\n(2) CODIS Unit responsiveness can be improved through sufficient staffing,\ntracking of information requests, and the use of other organizational tools;\n(3) CODIS community understanding and compliance with profile allowability\nrestrictions can be enhanced through increased emphasis on written sources\nof guidance that should be available to all CODIS users; (4) Review Panel\n\n       12\n          See Appendix II for a list of laboratories corresponding to the CODIS\nadministrators we surveyed.\n\n                                          - 14 -\n\x0ctimeliness can be improved if guidance is disseminated to the appropriate\nmembers of the CODIS community who can ensure that submissions are\ncomplete; and (5) the FBI can improve information sharing through better\nuse of the CODIS intranet website by disseminating written guidance to the\nCODIS community that is consistent, practical, and easy to navigate. These\nresults are further described in the following sections.\n\n\nSurvey Distribution and Design\n\n      Our survey was designed to provide feedback from CODIS\nadministrators on a variety of topics. The survey contained 46 primary\nquestions and 25 secondary and multi-part questions, resulting in 71 total\nquestions. (See Appendix VI for a complete listing of the survey questions\nand responses received.) Of the total, 26 questions allowed respondents to\nprovide supplemental comments in which to clarify or explain their answer.\nSupplemental comments were generally added when respondents gave a\nnegative answer. In total, we received 636 supplemental comments.\n\n      We developed questions from our analysis of the trends in the OIG\xe2\x80\x99s\nformer audits of CODIS laboratories, recommendations from members of the\nCODIS community, and the findings contained within the OIG\xe2\x80\x99s 2001 audit\nreport. In addition, the FBI provided suggestions for survey questions.\n\n      We divided the questions into seven topics, covering the major issues\nwe identified as potential areas of weakness in the FBI\xe2\x80\x99s administration of\nCODIS, which were applicable for comment by the administrators. Six of the\nseven topics contained questions in which respondents could provide\nadditional comment. The seven topics were: (1) demographics, (2) FBI\nCODIS Unit responsiveness, (3) allowability of DNA profiles, (4) laboratory\nquality, (5) general CODIS operations, (6) NDIS Audit Review Panel, and\n(7) FBI guidance to the CODIS community. 13\n\n      We provided administrators with 1 month (including a deadline\nextension) to submit their responses. In addition, we offered those states\nnot represented in the responses received by the deadline a further\nopportunity to respond. We received 144 responses from 47 states, which\n\n\n\n\n      13\n        The demographics category did not contain questions that would require\nsupplemental comment.\n\n                                        - 15 -\n\x0crepresents an 83-percent response rate. 14 Included in these responses were\nsurveys from 49 SDIS laboratories and 95 LDIS laboratories. With such a\nlarge number of both SDIS and LDIS respondents, we believe the responses\nfairly represent the views of CODIS administrators within the NDIS\ncommunity.\n\n       We analyzed survey results to detect commonalities of response and\nconsensus of opinions. As part of this analysis we tabulated responses for\nall questions, calculated a consensus for each question, identified trends in\nsupplemental comments, and determined if vulnerabilities were identified by\nthe consensus responses and comment trends. The results of our analysis of\nthe CODIS administrator survey results follow and are referenced throughout\nthis report where applicable. The complete listing of survey questions and\nresponses can be found in Appendix VII.\n\n\nSurvey Results and Analysis\n\n     While we generally note positive results below we also identify\npotential areas for improvement.\n\n       Demographics. We began our survey with questions that would help\nus ascertain the variety of experience, size of laboratories, and duties and\nactivities of the administrators. Responses indicated that the average time\nthe respondents had spent as a CODIS administrator was 3 to 5 years and\nthe average size of the respondents\xe2\x80\x99 DNA laboratories was 6 to 10 positions\n(including all staff specific to the DNA portion of their laboratory). Most\nrespondents (65 percent) were administrators who also had casework\nanalysis duties, and additional respondents (8 percent) were administrators\nwho also performed casework and offender analysis duties. In addition,\n13 percent were administrators who filled some other role, such as quality\nassurance manager or technical manager.\n\n       We found that 43 percent of CODIS administrators stated that they\nhave not taken the FBI\'s QAS auditor training (survey question 5), a course\nthat is designed to ensure a consistent understanding of the QAS and\napplication of the FBI\xe2\x80\x99s audit document, as well as an understanding of the\n\n\n\n\n       14\n           We did not receive a response from Idaho or Rhode Island. We received a\nresponse from Connecticut during our testing of the survey document, but we could not\ninclude it because of the preliminary condition of the survey and its inconsistencies with the\nfinal survey. Connecticut did not respond to the final survey.\n\n                                           - 16 -\n\x0cprinciples and objectivity surrounding auditing. 15 In our judgment, while not\nevery administrator may need guidance on how to conduct an audit, the\nFBI\xe2\x80\x99s QAS auditor training course would ensure that administrators are\nversed in QAS compliance to the degree necessary to assist their\nlaboratories in ensuring compliance.\n\n      Further, administrators stated that one of the top reasons for\ncontacting the CODIS Unit relates to QAS matters (survey question 6),\nmeaning that much time and effort is expended by both the administrators\nand CODIS Unit staff to address QAS issues. We believe this time and effort\ncould be minimized, freeing up time for other duties, if administrators\nreceived training in QAS compliance.\n\n      In addition, later survey results, in combination with the results of\nquestion 5, indicate that some administrators who have not taken the\nauditor training are still participating in the resolution of QAS audits for their\nlaboratory. We reached this conclusion from the fact that 66 percent of\nCODIS administrators indicated they are involved in the QAS audit resolution\nprocess (questions 30 and 31), but only 57 percent of the administrators\nhave taken the QAS auditor training. If CODIS administrators are to be\nresponsible in their laboratories for handling the audit resolution process,\nthey should have the benefit of receiving training in the accepted\ninterpretation of the QAS and the expected documentation to establish\ncompliance. Without that training, they could contribute to delays in the\nresolution process by failing to submit complete corrective action\ndocumentation or by challenging findings unnecessarily, both of which are\nfactors that we determine hinder the timeliness of the Review Panel. (See\nour analysis of Review Panel timeliness in Finding III, page 62.)\n\n      Separately, our analysis of QAS audit trends in Finding II reveals\ntrends that impact significant aspects of laboratory operations, such as\nchain-of-custody records and evidence storage and security. (See page 48\nfor additional detail.) The trends further emphasize the need for the FBI to\nensure that all key members of the CODIS community, including CODIS\nadministrators, are fully trained in compliance with the QAS.\n\n      We therefore conclude that by ensuring that administrators participate\nin the QAS auditor training, state and local laboratory compliance can be\n\n\n       15\n           The FBI\xe2\x80\x99s audit document is both an audit guide and a record of the standardized\ninterpretation of the QAS as developed by the FBI\xe2\x80\x99s Scientific Working Group on DNA\nAnalysis Methods (SWGDAM), the organization that is entrusted with the maintenance and\noversight of the QAS. SWGDAM includes representatives from federal, state, and local\nforensic laboratories.\n\n                                          - 17 -\n\x0cimproved and the workload of both the administrators and CODIS Unit staff\ncan be reduced.\n\n      FBI Responsiveness. We asked a series of questions (numbers 6\nthrough 11) to determine how responsive the CODIS Unit has been to\nmembers of the CODIS community. According to administrators, the\ntimeliness and helpfulness of FBI CODIS Unit staff is not a significant\nproblem, although we noted from the overall results of the survey that there\nis room for continued improvement. For example, we determined that 20\nrespondents made a total of 28 comments regarding the FBI\xe2\x80\x99s slow response\ntime and its inaccessibility. Those comments drew attention to various\nissues that, if addressed, could improve the CODIS Unit\xe2\x80\x99s responsiveness.\nAccording to these respondents:\n\n   \xe2\x80\xa2   The CODIS Unit is understaffed, contributing to the delays in\n       responses to the CODIS community.\n\n   \xe2\x80\xa2   The CODIS Unit does not currently track requests for information.\n       Tracking could be done using a system similar to the one used when\n       CODIS participants contact the CODIS system help desk.\n\n   \xe2\x80\xa2   The CODIS Unit should organize its staff and use written guidance to\n       improve responsiveness. For example, the CODIS Unit could have\n       resident points of contact on specific topics that would enable CODIS\n       participants to submit their questions on those topics to the\n       appropriate person within the CODIS Unit. Alternatively, the CODIS\n       Unit could use its intranet website to offer frequently asked questions\n       that could have relevance to other labs (thereby reducing information\n       requests), or have on-line information request forms that could be\n       forwarded to the appropriate person. 16\n\n       Our analysis of unit staffing confirms that understaffing of the CODIS\nunit is an important issue (see page 29). Further, without some means of\ntracking information requests, the FBI cannot ensure that it responds to all\nrequests in a timely fashion. Finally, by identifying topic-specific points of\ncontact and enhancing information sharing through the CODIS intranet, the\nCODIS Unit can improve its responsiveness to the CODIS community.\n\n\n\n       16\n           The FBI uses the Criminal Justice Information Systems Wide Area Network (CJIS\nWAN) to facilitate each laboratory\xe2\x80\x99s access to the CODIS system. When CODIS participants\nlog on to the system through the CJIS WAN, they access the CODIS intranet website that is\naccessible only to CODIS users and that serves as a resource for system assistance, forms,\nguidance, and notices.\n\n                                          - 18 -\n\x0c       Profile Allowability. NDIS Participation Requirements specify the\nrestrictions for profiles that are permissible for inclusion in NDIS. We asked\na series of questions (numbers 12 through 20) to assess the level of\nadministrators\xe2\x80\x99 understanding of those restrictions and their ability and\nconfidence to apply that understanding in determining whether a specific\nprofile was permissible, or allowable, for inclusion in NDIS. Results indicate\nthat administrators are knowledgeable and confident in determining profile\nallowability as a routine part of their duties. However, the survey results\nalso indicate that administrators lack confidence in whether there is\nconsensus in the CODIS community about what is allowable and in the\ncompliance of other laboratories in submitting only allowable profiles.\n\n      The survey results indicated that administrators did not identify\nthemselves as solely responsible for making sure casework profiles are\nuploaded in compliance with NDIS requirements. As shown in Figure 7,\nanalysts and reviewers were identified as the responsible official almost as\noften as administrators.\n\n                Figure 7 \xe2\x80\x93 Results of Survey Question 12\n\n         In your laboratory, who is ultimately responsible for\n         ensuring casework profiles are uploaded per NDIS\n         requirements?\n\n                      5%                        Analyst\n                             12%\n                13%                             CODIS Administrator\n\n                                                Analyst & Reviewer\n\n\n              26%                41%            All\n\n                                                Analyst & CODIS\n                                                Administrator\n         Source: Responses from 144 CODIS administrators\n\n      On-going guidance on profile allowability is provided primarily to\nCODIS administrators during national CODIS meetings where profile\nallowability scenarios are discussed in an open forum. The discussion\nsessions serve as a source of helpful guidance and clarification on profile\nallowability, as emphasized by the number of comments to this effect from\nsurvey respondents. However, not all analysts and CODIS users attend each\nnational meeting. Conversely, as shown in Figure 7, only 41 percent of\n\n                                      - 19 -\n\x0cadministrators are solely responsible for ensuring that profiles uploaded to\nNDIS are suitable for inclusion. Therefore, we believe this same guidance\nmay not be communicated to the responsible staff in each CODIS laboratory.\nWe conclude that the FBI needs to take steps to ensure that all CODIS users\nare provided the same guidance that is given at national meetings regarding\nprofile allowability. Such steps could include enhancing the information\nsharing of the CODIS intranet, through scenarios or decision-trees accessible\nto all CODIS users.\n\n      The CODIS Unit Chief told us that all CODIS users are required to sign\nthe profile allowability certification form, which specifies that they know and\nunderstand NDIS procedures governing allowability of profiles. However,\nsince the FBI does not verify that those forms are completed as required,\nthe FBI cannot totally rely on those certifications to ensure that all CODIS\nusers who make profile allowability decisions are receiving the necessary\nguidance to ensure compliance. 17\n\n      In addition, we observed that administrators primarily view a person,\nrather than a law, policy, or other form of written guidance, as their primary\nsource on profile allowability matters. For example, respondents were asked\nin question 19, \xe2\x80\x9cIf a member of your DNA laboratory has a question\nregarding whether a profile is allowable for upload to NDIS, who or what\nwould be their most likely source for clarification?\xe2\x80\x9d Respondents could offer\nmore than one reply. Out of 143 responses, as all or part of their answer,\n111 respondents cited \xe2\x80\x9cCODIS Administrator in their laboratory\xe2\x80\x9d as a source\nof guidance; 27 respondents cited \xe2\x80\x9cCODIS Administrator Handbook\xe2\x80\x9d; and\nanother 27 respondents cited \xe2\x80\x9cCODIS administrator in another laboratory.\xe2\x80\x9d\nThese responses primarily identify a person, rather than a formal written\ndocument, as the source of guidance for the staff within their laboratory.\n\n       Also, the following results for questions 16a through 16c primarily\nindicate a person rather than a document as the final authority on what\nprofiles are uploaded to CODIS, as shown in Figure 8.\n\n\n\n\n       17\n           For more information on completion of the user certification forms, see the results\nof the trend analysis of OIG CODIS laboratory audits in Finding II and our analysis of\ncorrective action in Finding III.\n\n                                           - 20 -\n\x0cFigure 8 \xe2\x80\x93 Results of Administrator Survey Question 16a \xe2\x80\x93 16c\n\n\n         Question 16a: Who or what is the final authority on what\n                    profiles your lab uploads to LDIS?\n\n   National Representative\n\n   State Representative\n\n\n\n\n                                What or Who\n   Local Representative\n\n   National Law or Policy\n\n   State Law or Policy\n\n   Local Law or Policy\n                                       0%      20%      40%        60%   80%\n Note: Multiple responses permitted                  Percentages\nSource: Responses from 119 CODIS administrators\n\n\n\n          Question 16b: Who or what is the final authority on what\n                     profiles your lab uploads to SDIS?\n\n   National Representative\n\n   State Representative\n                                 What or Who\n\n\n\n\n   Local Representative\n\n   National Law or Policy\n\n   State Law or Policy\n\n   Local Law or Policy                    0%   20%       40%       60%   80%\n\n Note: Multiple responses permitted                  Percentages\n\nSource: Responses from 129 CODIS administrators\n\n\n\n\n                                - 21 -\n\x0c                      Question 16c: Who or what is the final authority on what\n                                profiles your lab uploads to NDIS?\n\n              National Representative\n\n\n\n\n                                            What or Who\n              State Representative\n\n              Local Representative\n\n              National Law or Policy\n\n              State Law or Policy\n\n              Local Law or Policy                    0%   20%        40%          60%\n\n                                                             Percentages\n            Note: Multiple responses permitted\n\n           Source: Responses from 133 CODIS administrators\n\n     We believe the FBI must take steps to ensure that the NDIS\ncommunity relies on written law or policy to ensure consistent and thorough\ncompliance with the NDIS requirements, for consistency, reproducibility, and\nminimization of human error and subjectivity. See the section on \xe2\x80\x9cFBI\nGuidance\xe2\x80\x9d results on page 26 for additional discussion of written guidance.\n\n       Laboratory Quality. We asked CODIS administrators to comment on\nthe operational quality of their laboratory and other laboratories with which\nthey are familiar (questions 21 through 23). Respondents rated their own\nlaboratory\xe2\x80\x99s quality, as well as the quality of their laboratory in relation to\nothers, fairly high. However, 8 percent of respondents stated that they were\naware of a CODIS laboratory operating with what they believed to be a\nmaterial weakness. Their comments revealed that they identified issues that\nincluded the inherent limitations of one-person DNA laboratories, uninvolved\noff-site technical leaders, laboratories that upload profiles that have not\nbeen fully reviewed, and laboratories that emphasize quantity over quality.\nAccording to our discussions with the CODIS Unit Chief and the chairperson\nof SWGDAM, these weaknesses are already known and are being considered\nin conjunction with on-going revisions to the QAS. 18 However, we\nrecommend continued attention to these material weaknesses.\n\n\n      18\n          The QAS are revised by SWGDAM through a formal process requiring discussion\nand approval at several administrative levels and overall consensus by key members or\norganizations within the DNA community.\n\n                                           - 22 -\n\x0c       CODIS Operations. We asked administrators to assess various aspects\nof CODIS operations (questions 24 through 29). The CODIS administrators\nmade it clear through their responses that the overall sentiment regarding\ngeneral CODIS operations is positive. Specifically, we found that the CODIS\ncontractor, the CODIS software, and the FBI\xe2\x80\x99s current management of\nCODIS all received high marks from respondents, and that administrators\nfelt there had been a fair measure of improvement in the FBI\xe2\x80\x99s management\nof CODIS under the current CODIS Unit Chief\xe2\x80\x99s leadership.\n\n     Further, respondents identified what they believe to be the most\nimportant successes of CODIS:\n\n  \xe2\x80\xa2   crime-solving and prevention;\n\n  \xe2\x80\xa2   system benefits (for example, information management, system\n      capabilities, and software enhancements and upgrades);\n\n  \xe2\x80\xa2   community assistance (for example, grants, national meetings,\n      training, legal assistance, and the help of the CODIS Unit staff); and\n\n  \xe2\x80\xa2   communications and connections (including a national and\n      international network of laboratories and the CODIS website).\n\n      Respondents also identified what they believe to be the greatest\nchallenges to CODIS in the next 5 years:\n\n  \xe2\x80\xa2   expansion and change (particularly legislated expansion and resulting\n      changes);\n\n  \xe2\x80\xa2   resource limitations (including backlogs);\n\n  \xe2\x80\xa2   profile integrity (including confusion regarding profile allowability,\n      consistency in what is uploaded to CODIS, and quality control of the\n      data); and\n\n  \xe2\x80\xa2   system operations (including capacity of the system, computer\n      security, and continuity of operations).\n\n      NDIS Audit Review Panel. In order for a laboratory to meet the QAS\nrequirement for a biannual external QAS audit, the audit must be conducted\nusing the FBI\xe2\x80\x99s approved audit document by QAS auditors that have\n\n\n\n\n                                    - 23 -\n\x0csuccessfully completed the FBI\xe2\x80\x99s auditor training. 19 The FBI further requires\nthat these external QAS audits be submitted to the NDIS Audit Review\nPanel. The CODIS Unit oversees the Review Panel, a group of volunteer\nmembers of the DNA community and FBI staff members who meet specific\nprofessional criteria. The Review Panel reviews all external QAS audits\nconducted in NDIS-participating laboratories across the country, with the\npurpose of ensuring consistent and thorough application of the QAS and\nappropriate and complete corrective action.\n\n       We asked a series of questions (numbers 30 through 35) designed to\nprovide insight into what experience the CODIS administrators have had\nwith the Review Panel process, and what their comments are regarding the\nReview Panel\xe2\x80\x99s accomplishment of its purpose. As shown in Figure 9,\noverall, respondents who have experience with the Review Panel process\nfeel that it has improved compliance with the QAS.\n\n\n\n\n      19\n        We use the term \xe2\x80\x9cQAS auditors\xe2\x80\x9d to refer to the DNA scientists within the DNA\ncommunity that perform audits of compliance with the FBI\xe2\x80\x99s QAS.\n\n                                         - 24 -\n\x0c        Figure 9 \xe2\x80\x93 Results of Administrator Survey Question 30 20\n\n      Do you believe the NDIS Audit Review Panel has improved community\n      compliance with the QAS? [Check all that apply]\n\n\n\n\n                                                               13%\n                         34%             48%\n                                                               9%\n                                       Total\n                                       Yes\'s                  26%\n\n                           13%\n\n\n\n                     Yes: Ensures consistency\n                     Yes: Ensures corrective action\n                     Yes: Ensures both of these\n                     No: Still enforcing individual interpretations\n                     Unsure\n\n             Source: Responses from 141 CODIS administrators\n\n      Those who did not believe the Review Panel had improved compliance\nfocused on the fact that individual interpretations of the QAS, rather than\nstandardized interpretations, occur within the DNA community.\nAdministrators also indicated that there has been improvement to Review\nPanel timeliness but that additional improvement is needed. 21\n\n      We found that 31 percent of the respondents with experience in the\nReview Panel process stated that they had to supply additional corrective\naction documentation after their original submission to the Review Panel\n(question 33), which delayed the process for up to 6 months (question 34).\nIn addition, the responses to questions 30 and 31 indicated that a large\n\n        20\n            Note that this chart does not reflect the approximately 4 percent of\nadministrators who designated \xe2\x80\x9cOther\xe2\x80\x9d as their response, accompanied by an explanatory\ncomment.\n        21\n            We further address QAS auditor consistency under Finding II and audit panel\ntimeliness under Finding III.\n\n                                         - 25 -\n\x0cpercentage (34 percent) of the CODIS administrators are not involved in the\nReview Panel process. Yet, based on our observations, CODIS\nadministrators are the members of the NDIS community who often receive\nthe guidance disseminated at national meetings regarding the Review Panel\nprocess and key factors in ensuring that a submission to the panel is\ncomplete.\n\n      We conclude from these responses that, by providing guidance to\npertinent laboratory staff on ensuring their initial submission to the Review\nPanel is complete, one delay that undermines Review Panel timeliness can\nbe reduced. In presenting our conclusion to the FBI, the CODIS Unit Chief\nstated that he understood our perspective. He subsequently asked the\nattendees at the 2005 National CODIS Conference for the contact\ninformation for the person in each laboratory who is responsible for the audit\nresolution process. The CODIS Unit Chief further stated that he would use\nthese points-of-contact to develop a comprehensive mailing list to\ndisseminate guidance or information to the NDIS community regarding the\nReview Panel process.\n\n       FBI Guidance. Finally, we asked administrators to provide feedback on\nvarious aspects of the FBI\xe2\x80\x99s guidance to the CODIS community (questions 36\nthrough 46). Respondents were fairly positive about the FBI\xe2\x80\x99s guidance to\nCODIS participants on compliance with the QAS and NDIS requirements.\nAdministrators\xe2\x80\x99 perception of the FBI\xe2\x80\x99s consistency in guidance was\nmoderate, but overall, they stated that inconsistencies had limited impact on\ntheir ability to perform and comply with requirements. However, they\nindicated concern about the FBI-developed QAS audit guide (commonly\nreferred to as the \xe2\x80\x9caudit document\xe2\x80\x9d) and the adequacy of the FBI\xe2\x80\x99s guidance\non proper use of the audit guide, as shown in Figure 10.\n\n\n\n\n                                    - 26 -\n\x0c                   Figure 10 \xe2\x80\x93 Responses to Administrator\n                         Survey Questions 38 and 39\n\n\n     Question 38: Do you believe\n     that the FBI\xe2\x80\x99s audit document                16%\n     enables an external QAS auditor\n     to identify all of a laboratory\xe2\x80\x99s                                       Yes\n     quality assurance weaknesses?\n                                                             58%             No\n     140 responses, 33 supplemental           26%                            N/A\n     comments\n\n\n\n\n     Question 39: Do you believe the\n     FBI has provided adequate\n     training on the proper use of the                 17%\n     QAS audit document to ensure\n     that community QAS auditors                                         Yes\n     are consistent and thorough in                          48%\n     their assessment of compliance\n                                                                         No\n     with the QAS?                                35%                    N/A\n     140 responses, 48 supplemental\n     comments\n\n     Source: Responses from 140 CODIS administrators\n\n       In the supplemental comments submitted with the responses to these\nquestions, inconsistencies between QAS auditors were emphasized (as with\nquestion 30 in Figure 9), as were inconsistencies between the QAS auditors\nand other members of the DNA community. In addition, we determined that\nthroughout the survey, 83 respondents made a total of 161 comments on\ninconsistencies in the way the QAS are interpreted within the DNA\ncommunity. These comments identified the need for increased and\nimproved training and improved guidance for all members of the CODIS\ncommunity. See Finding III for additional conclusions regarding auditor\ntraining.\n\n      In addition, 37 of the respondents made a total of 51 comments\nregarding the need for the FBI to share information better by posting of\nguidance on the CODIS intranet website, such as frequently asked questions\n\n                                     - 27 -\n\x0cand common audit findings. We reviewed the contents of the CODIS\nwebsite at one CODIS laboratory to assess the suggestions that were made\nfor additional content. We found that while the current website appears to\nbe a helpful tool for CODIS users, there are several ways that it could be\nenhanced to provide better guidance. For example, the website needs\nbetter tools for navigating the information it contains, such as a\ncomprehensive table of contents or index for NDIS procedures,\ndecision-trees for profile allowability, and a list of frequently asked questions\nthat direct CODIS users to the correct place within the NDIS procedures for\nadditional guidance on various subjects. In addition, we found that some of\nthe information on the website was not current (such as a list of upcoming\nQAS auditor courses that showed no entries after January 2005), and\ntherefore was of no benefit. The FBI needs to ensure that the information is\nupdated regularly to further encourage CODIS users to view the CODIS\nwebsite as relevant and helpful to their daily activities.\n\n      When we discussed these suggested changes with the CODIS Unit\nChief, he stated that the guidance the website already contains is not used\nas much as it could be. He added that members of the CODIS community\noften tell him that they are unsure of what NDIS procedures say, or that\nthey were unaware of a change that had been highly publicized within the\nCODIS community months prior. We believe that while there may be those\nin the CODIS community who are not using the CODIS website, this should\nnot prevent the FBI from making improvements to it to maximize the\nopportunity to provide written, user-friendly, relevant, and comprehensive\nguidance to the CODIS community.\n\n       Overall Analysis. In reviewing the overall survey responses and\nstatements made by FBI management, we found that the FBI placed too\nmuch reliance on verbal rather than written guidance in everyday\ncommunications and in meeting discussions concerning the QAS and NDIS\nrequirements. For example, the CODIS Unit Chief commented that he gives\ngreater priority to phone rather than to electronic communications in\neveryday responses to the CODIS community, and that he is hesitant to put\nguidance in writing when dealing with a laboratory-specific situation. He\nlater clarified that answer by saying that he wants to avoid identifying\nspecific laboratories by name or situation. However, we believe that the\nCODIS Unit Chief should attempt to use the interaction he has with\nindividual labs as a means of identifying where additional guidance to the\nentire community is warranted. He could do this through the CODIS website\nor other avenues, without identifying specific labs.\n\n     Verbal communication is inherently more susceptible to\nmisunderstandings, misapplications, and inconsistencies. For example,\n\n                                     - 28 -\n\x0cadministrators who responded to question 44b, which asked administrators\nfor possible causes of the inconsistencies in the FBI\xe2\x80\x99s guidance to the\ncommunity, stated that perceptions shifting over time are primarily to blame\nfor the inconsistencies observed, something that does not occur with written\nguidance. The FBI can increase the NDIS community\xe2\x80\x99s reliance on written\nguidance through simple practical means, such as the improvements to\ninformation sharing previously suggested, documenting guidance given to\nindividual laboratories through written correspondence, and by\ndisseminating that guidance wherever applicable to the overall community.\n\n       FBI management responded by saying that they view our conclusions\npositively, and that our work will be very helpful in identifying ways in which\nthey can better assist the CODIS community, particularly the specific\nsuggestions for how they can improve handling of tools like the CODIS\nwebsite.\n\n\nInadequate CODIS Unit Staffing\n\n      At the initiation of this audit in May 2005, the CODIS Unit was\ncomprised of five staff: the unit chief, three program analysts, and a\nmanagement assistant. An additional seven positions were vacant, two of\nwhich had been filled pending completion of security clearances. To assess\nthe adequacy of Unit staffing, we requested and analyzed documentation\nfrom the FBI to ascertain its past handling of CODIS Program staffing and to\ndetermine its current efforts to fill the vacant positions in the CODIS Unit.\n\n\nHistorical Staffing\n\n      We requested staffing information for the CODIS Program since 1997,\nto assess the FBI\xe2\x80\x99s previous efforts in staffing the Program. The information\nwe received revealed the following:\n\n   \xe2\x80\xa2   In the approximate 6 years (August 1997 to October 2003) preceding\n       the current unit chief, there were a total of six unit chiefs (some in an\n       \xe2\x80\x9cacting\xe2\x80\x9d capacity) who oversaw CODIS operations. In our judgment,\n       this rate of turnover in leadership undermines the ability of anyone to\n       properly oversee the CODIS Program and also undermines the\n       continuity needed for consistent interactions and guidance with the\n       CODIS community.\n\n\n\n\n                                      - 29 -\n\x0c   \xe2\x80\xa2   Due to staff vacancies, the CODIS Unit Chief also currently functions\n       as the NDIS Custodian and Program Manager. 22 That position has not\n       been filled by a dedicated staff member since June 2001.\n       Consequently, there has been a dedicated NDIS Program Manager for\n       approximately 2.5 of the more than 7 years (October 1998 to\n       November 2005) of NDIS operations, or roughly 37 percent of the\n       time. According to the CODIS Unit Chief, no formal description\n       currently exists that describes the NDIS Custodian duties.\n\n   \xe2\x80\xa2   Over 4 years (June 2001 to August 2005) lapsed without a permanent\n       employee to fill the position of CODIS Program Manager.\n\n   \xe2\x80\xa2   Although CODIS and NDIS experienced dramatic growth since NDIS\n       became operational in late 1998 through fiscal year (FY) 2004, there\n       was a minimal increase in positions.\n\n      However, beginning in February 2004, the FBI increased the CODIS\nUnit staff by 7 positions, bringing its full staffing level to 12. In July 2004, a\nbusiness plan was submitted to FBI management requesting the creation of\ntwo new position categories in the CODIS Unit for a total of four new\nemployees, including a paralegal specialist and three CODIS auditors. That\nbusiness plan was approved in early August 2004. The CODIS Unit\'s\nFY 2005 full staffing level of 12 positions is allocated according to the\norganization chart contained in Figure 11 on page 32.\n\n\nCurrent Staffing\n\n       The seven vacant positions in the CODIS Unit include both historical\npositions as well as the new positions approved in August 2004. The current\nCODIS Unit Chief, who assumed his position in November 2003, provided\nthe following details to demonstrate the progress made in staffing the CODIS\nUnit.\n\n       CODIS Program Manager Position. The CODIS Program Manager\nposition was an existing position that was vacant. In May 2004, the CODIS\nUnit Chief requested that this position be advertised, which it was in June\n2004. However, the posting was cancelled because of an error, and then\nposition was put on hold because of a new hiring process. The position was\n\n       22\n           The NDIS Custodian is the FBI employee responsible for ensuring NDIS is\noperated in compliance with the DNA Identification Act, the Privacy Act, the NDIS\nMemorandum of Understanding between the FBI and participating laboratories, and all other\nrelevant legislation or regulations. The NDIS Program Manager serves as the NDIS\nCustodian and also oversees other aspects of NDIS operations.\n\n                                         - 30 -\n\x0cnot reposted until November 2004. A selection was made in February 2005,\nthe necessary background clearance was completed, and the new CODIS\nProgram Manager reported to duty August 22, 2005.\n\n       NDIS Program Manager Position. Another of the existing vacant\npositions, the NDIS Program Manager, was advertised for 2 weeks in March\n2005 and again for 2 weeks in July 2005. No one applied for the March\nposting, and no applicants with the required experience applied for the July\nposting. No further action had been taken as of December 2005.\n\n       CODIS Auditor Positions. The CODIS auditor positions were approved\nas new positions within the FBI on August 6, 2004, and were advertised the\nfirst 2 weeks of December 2004. From the applications received, only one\napplicant was considered qualified based upon the position criteria and that\nperson was selected for the position on March 24, 2005. The background\nclearance needed to allow this person to report to duty was still pending as\nof December 2005. To fill the remaining two auditor positions, the CODIS\nUnit Chief requested re-advertising the positions in May 2005 but the FBI did\nnot repost them until November 2005.\n\n      Paralegal Specialist Position. The FBI approved the new paralegal\nspecialist position on August 6, 2004 but did not post the position until May\n2005. The FBI selected an applicant in September 2005, but the\nbackground clearance for that person was pending as of December 2005.\n\n      The FBI has not taken any action on the National Missing Persons\nProgram Manager position. In addition, as of the end of September 2005,\none of the three program analyst positions was vacated. The FBI posted\nthat position in December 2005.\n\n       In summary, as of December 2005, one clearance was completed and\nthe new staff member reported to duty (CODIS Program Manager). In\naddition, one position was vacated (program analyst) and another two filled\npending clearance (CODIS auditor and paralegal). Consequently, the\nstaffing status in December 2005 was the same as it had been in May 2005,\nwith a total of five positions filled, two positions pending clearance, and five\npositions vacant. Figure 11 reflects the total positions assigned to the\nCODIS Unit, and the status of those positions as of December 2005.\n\n\n\n\n                                     - 31 -\n\x0c                     Figure 11 \xe2\x80\x93 CODIS Unit Organization Chart\n                                as of December 2005\n\n\n                                   Unit Chief\n\n\n\n\n                     Management\n                      Assistant\n\n\n\n  National Missing       CODIS Program                               NDIS Program\n  Persons Program             Manager                              Manager/Custodian\n  Manager, Vacant       Filled August 2005                              Vacant\n\n\n\n\n                         Program Analyst                CODIS Auditor            Program Analyst\n                             Vacant                   Clearance Pending\n\n\n\n\n                                                       CODIS Auditor             Program Analyst\n                                                          Vacant\n\n\n\n                                                                                Paralegal Specialist\n                                                       CODIS Auditor            Clearance Pending\n                                                          Vacant\n\n\nSource: FBI CODIS Unit management\n\n\n\nConclusion\n\n       In the several years preceding 2004, the FBI failed to staff the CODIS\nUnit commensurate with growing demands and participation and thereby put\nat risk the ability of CODIS staff to properly oversee and administer the\nCODIS Program. However, in 2004, FBI management took action to\nincrease CODIS staffing and provide a sufficient number of program\nmanager positions, including a CODIS Program Manager, an NDIS Program\nManager (Custodian) and a National Missing Persons Program Manager.\n\n\n\n\n                                             - 32 -\n\x0c       Yet, progress in staffing these positions has been slow. Our results at\nthe unit level are similar to the findings in the report of the National\nAcademy of Public Administration (NAPA) on the FBI\'s management of\nhuman capital. 23 For example, the NAPA report cites the lack of a\ncomprehensive leadership development plan for subordinate levels of\nmanagement, which we found in the historical handling of the manager\npositions for the CODIS Program. Further, the NAPA report states that the\nprocess to hire all other types of personnel is cumbersome, costly, and\nuntimely, and that hiring plans are inadequate. We noted similar issues for\nthe CODIS Program in both the historical staffing data, as well as the current\nstaffing data. For example:\n\n   \xe2\x80\xa2   Of the four new positions approved for the CODIS Unit in August 2004,\n       the FBI had made selections for only two positions (a CODIS auditor\n       and the paralegal specialist) as of December 2005, approximately\n       16 months later. Both of these positions were pending background\n       clearances (the clearance processes initiated in April and September\n       2005, respectively) at that time.\n\n   \xe2\x80\xa2   Of the four new positions, it took over 9 months from the time one of\n       them was approved (August 2004) to the time it was advertised (May\n       2005). It took approximately 4 months from the time the remaining\n       three positions (CODIS auditors) were approved to the time they were\n       advertised.\n\n   \xe2\x80\xa2   The NDIS Program Manager, a position that existed previously and\n       was reaffirmed with the February 2004 allocation, was not advertised\n       until March 2005, and was re-advertised in July 2005, with no success\n       for either advertisement and no further action taken as of December\n       2005.\n\n       Although the FBI has taken steps to provide increased staffing levels\nfor the CODIS Unit, attention now needs to be given to filling those\npositions. According to our analysis of trends in the OIG CODIS laboratory\naudits (see Finding II), most of the findings noted pertain to compliance with\nNDIS requirements, which demonstrates the need for an NDIS Program\nManager. Further, according to the CODIS Unit Chief and CODIS contractor\nstaff overseeing changes to NDIS Procedures for the FBI, FY 2005 brought\nmore changes to NDIS procedures than has occurred in a single year\npreviously. In our judgment, the FBI must give immediate attention to the\nNDIS Program Manager position, in light of the need for rigorous ongoing\n\n       23\n           National Academy of Public Administration. Transforming the FBI: Roadmap to an\nEffective Human Capital Program (2005).\n\n                                         - 33 -\n\x0coversight of the NDIS community\'s compliance with, and the maintenance\nof, the NDIS participation requirements. 24\n\n\nAdditional Performance Measurements Needed\n\n      The Government Performance and Results Act requires agencies to\ndevelop strategic plans that identify their long-range goals and objectives\nand to establish annual plans that set forth corresponding annual goals and\nindicators of performance. 25 Accordingly, we asked FBI officials to provide\nus with the documents necessary to assess the CODIS Unit\xe2\x80\x99s goals,\nobjectives, and indicators of performance.\n\n      After the CODIS Unit was established in June 2003, FBI management\ndecided to reassess the mission, goals, and objectives of the CODIS\nProgram. In September 2004, Laboratory Division management approved\nthe resulting mission, goals, and objectives. According to the revised\nmission statement, the CODIS Unit is responsible for: (1) developing,\nproviding, and supporting CODIS to federal, state, local, and international\nlaw enforcement agencies; (2) managing CODIS and NDIS, including\nproviding administrative support to the NDIS and DNA-related committees\nand groups and telecommunications support to CODIS participants; and\n(3) implementing the requirements of the DNA Identification Act of 1994,\nthrough creation and management of standards, assistance with\nDNA-related legislative initiatives, and coordination with DNA-related\nauditing organizations.\n\n        To accomplish this mission, the CODIS Unit has one primary goal: to\nfacilitate the use of DNA technology in assisting the criminal justice\ncommunity in solving crimes. To achieve that goal, the CODIS Unit outlined\neight objectives:\n\n1.     Expand the number of states participating in the National DNA Index\n       System to include all 50 states.\n\n2.     Encourage states to expand coverage of their state DNA databases to\n       include all felony offenders and misdemeanor sexual offenders.\n\n\n       24\n           We use the term \xe2\x80\x9cNDIS participation requirements\xe2\x80\x9d to capture all requirements\nwith which an NDIS participating laboratory must comply, including the MOU for\nparticipation and the NDIS procedures. See further details of this criteria in Appendices III\nand IV.\n       25\n            Pub. L. No. 103-62 (1993).\n\n                                           - 34 -\n\x0c3.     Develop and implement a missing persons and mitochondrial DNA\n       database at the national level. 26\n\n4.     Enhance training and information available to CODIS users.\n\n5.     Enhance awareness of the CODIS Program within the criminal justice\n       community.\n\n6.     Expand the CODIS Program both domestically and internationally,\n       through the Legal Attach\xc3\xa9 Program.\n\n7.     Ensure administration of NDIS in accordance with applicable federal\n       laws and regulations.\n\n8.     Continue to develop CODIS software as a means to assist in the\n       identification and capture of international terrorists.\n\n      Of these eight objectives, only two relate to finite tasks that can be\naccomplished at a point in time (numbers one and three). We were able to\ndetermine from information provided to us that these tasks have been\naccomplished. To address the on-going objectives, the CODIS Unit\nmaintains a record of actions necessary to accomplish the objectives in a\ndocument titled \xe2\x80\x9cImplementing Actions.\xe2\x80\x9d These actions, which are specific\nand numerous, reflect current and planned actions. The actions also appear\nto be appropriate and sufficiently detailed to allow CODIS Unit management\nto address the objectives in an on-going manner.\n\n      The FBI has established performance measurements, setting targets\nfor each year and then comparing actual accomplishments to those targets.\nThose measurements are: (1) investigations aided, (2) CODIS matches,\n(3) NDIS-participating labs, (4) CODIS users trained, (5) NDIS-participating\nstates, (6) offender profiles in NDIS, and (7) forensic profiles in NDIS.\nThese measurements are cross-referenced with strategic plan goal numbers\nor areas and categories that track to the Laboratory Division\xe2\x80\x99s other\nmanagement documents. Figure 12 captures data provided to us by the FBI\nfor the CODIS Unit\xe2\x80\x99s performance measurements, including the goals for FYs\n2003 through 2006, and the actual achievements for FYs 2003 through\n2005.\n\n\n\n       26\n          Mitochondrial DNA is small circular DNA that is inherited maternally, and is found\noutside the nucleus in most cells. Mitochondrial DNA is more robust than nuclear DNA, but\ndoes not have the same power of discrimination, since all maternal relatives share the same\nmitochondrial DNA.\n\n                                          - 35 -\n\x0cFigure 12 \xe2\x80\x93 CODIS Unit Performance Data, FY 2003 \xe2\x80\x93 FY 2006 27\n\n                                           Goals or Expectations\n                                 FY2003    FY2004      FY2005     FY2006\nNDIS Laboratories                      175        175         177      177\nCODIS Users Trained 28                 750        935      1,029     1,143\nStates Participating in NDIS            50         50         N/A      N/A\nNDIS Forensic Profiles             106,000     87,823    102,313   156,000\nNDIS Offender Profiles           1,500,000  1,770,000 2,227,408 3,400,000\nInvestigations Aided                 3,652      3,454      3,454    10,000\nCODIS Matches                        3,855      3,695      3,695     9,800\n\n                                                    Actual\n                                        FY2003    FY2004    FY2005\n       NDIS Laboratories                      175       175        177\n       CODIS Users Trained                    836       949      1,041\n       States Participating in NDIS            48        50        N/A\n       NDIS Forensic Profiles              71,837   100,959    131,111\n       NDIS Offender Profiles           1,559,364 1,976,573  2,691,786\n       Investigations Aided                 4,202     9,758      9,650\n       CODIS Matches                        4,239     6,825      9,451\n       Source: CODIS Unit management in December 2005\n\n      According to the data in Figure 12, the CODIS Unit has generally\nachieved or exceeded its goals. Further, we determined that the CODIS Unit\nChief has taken steps to ensure the measurement information is accurate,\nincluding creating a new baseline for investigations aided and CODIS\nmatches in 2004 by querying all states for confirmed data.\n\n      Overall, the combination of documents we reviewed appear to capture\nthe mission, goals, objectives, strategies, and performance measurements\nfor the CODIS Unit and also appear to be interlinked in a way that allows\nthem to be meaningful and measurable.\n\n       However, we identified three activities, which are not reflected in the\nCODIS Unit\xe2\x80\x99s performance measurements but that are an essential part of\nthe Unit accomplishing its mission: (1) auditing of NDIS data; (2) providing\ntraining on QAS compliance; and (3) overseeing the activities of the Review\nPanel. The three activities comprise the CODIS Unit\xe2\x80\x99s primary means of\n\n       27\n           The following categories include cumulative totals: (1) CODIS Labs, (2) Users\nTrained, (3) States Participating, (4) Forensic Profiles and (5) Offender Profiles. The\nfollowing categories include yearly totals: (1) Investigations Aided and (2) CODIS Matches.\n       28\n          CODIS User training provides users, particularly new users, with training in how\nto use the CODIS system and software.\n\n                                          - 36 -\n\x0cmonitoring and assisting NDIS-participants\xe2\x80\x99 compliance with the QAS and\nverifying the integrity of NDIS data. The activities are currently performed\non behalf of the CODIS Unit by FBI Laboratory staff outside it. Since they\nalso serve a crucial role in the CODIS Unit\xe2\x80\x99s interaction with the NDIS\ncommunity, the activities should be formalized and clearly reflected as the\nCODIS Unit\xe2\x80\x99s responsibilities in its objectives and performance\nmeasurements. These activities are discussed in the following sections.\n\n\nIntegrity of NDIS Data\n\n       Currently, as part of the corrective action measures implemented in\nresponse to our previous audit of the CODIS Program, FBI staff who perform\nquality assurance audits at CODIS participating laboratories also review the\nCODIS profiles uploaded from the cases they review (generally, three to five\ncase files are reviewed for each active DNA analyst in the laboratory). The\nprofiles are reviewed for completeness, accuracy, and allowability. These\nreviews will continue more systematically once the CODIS Unit auditor\npositions are filled. 29 However, there is no objective tracking mechanism or\nperformance measurement to capture this activity and the role that it is\nintended to play in allowing the CODIS Unit to address the requirement to\nverify the compliance of NDIS data with applicable federal laws and\nregulations. We believe this activity should be reflected with both projected\nand actual measurements, as well as in the objectives and implementing\nactions maintained by the CODIS Unit.\n\n\nCompliance with the Quality Assurance Standards\n\n      The DNA Analysis Unit I (DNAUI) has been conducting quality\nassurance auditor training courses on behalf of the CODIS Unit. The primary\nfocus of these courses is to ensure a consistent understanding of the QAS\nand consistent application of the FBI\'s audit document. A second important\nfunction of the courses is to instill an understanding of the principles and\nobjectivity surrounding auditing.\n\n       No performance measures or targets have been established for this\nactivity, even though it requires a substantial amount of effort from DNAUI\nstaff. As of November 2005, over 950 QAS auditors had been trained in\nthese courses. 30 The DNAUI Chief, who currently oversees this training,\n\n      29\n        Since the policy requiring FBI QAS auditors to review NDIS profiles was\nimplemented in June 2004, there have been only three instances of these reviews occurring.\n      30\n           Additional analysis of the QAS auditor training is contained in Finding III.\n\n                                             - 37 -\n\x0cestimates that when preparation, travel, and time used to respond to\nquestions from the DNA community are included with actual classroom\ninstruction time, approximately 20 to 25 percent of the work year for two\nstaff members is devoted to managing this function for the CODIS Unit. The\nDNAUI Chief pointed out that in addition to lacking performance\nmeasurements for this activity, there is an overarching need for FBI\nmanagement to formally recognize this activity and the resources it needs.\nFor instance, the course needs to have staff, a travel budget, resources to\ndevelop web-based instruction tools, and funding for invited guest speakers.\nThe DNAUI Chief stated that formalizing this activity would allow the FBI to\nconduct training in a more effective manner by bringing improvements to\nthe instructional process and by delivering a more uniform product across\nthe board.\n\n        In addition, one of the staff in the DNAUI who is involved in the QAS\nauditor training also serves as the chairperson for the NDIS Audit Review\nPanel, a panel of members from the DNA community that reviews the QAS\naudits completed in NDIS-participating laboratories. 31 The Review Panel was\ncreated in response to findings in a previous OIG audit and serves as a\nmeans for the FBI to ensure consistent and thorough application of the QAS\nin laboratories across the country that participate in NDIS. 32 The Review\nPanel processed over 100 audits in 2004 and received another 80 for\nprocessing in 2005. The Review Panel chairperson must assess the records\nfor each audit that are received by the FBI, distribute the audits to Review\nPanel members, consolidate their comments, follow up on any questions or\nrequests for information with the auditee, and document the resolution of\neach audit. Substantial effort is required by the Review Panel chairperson to\nfacilitate this activity on behalf of the CODIS Unit. While the Review Panel\nprocess is a crucial component of the FBI\xe2\x80\x99s confirmation of\nNDIS-participating laboratories\xe2\x80\x99 compliance with the QAS, this activity is not\nreflected in the performance measurements or objectives for the CODIS\nUnit.\n\n      We believe that FBI management should include these activities under\nthe CODIS Unit\xe2\x80\x99s responsibility and strategic planning process (including\nobjectives and measurements). For example, in our analysis of the FBI\xe2\x80\x99s\nQAS auditor training and the Review Panel process reflected in Finding III,\nwe make recommendations for improvements to be implemented by CODIS\nUnit management. We do not believe that these activities must be\n\n      31\n          Panel members must be qualified or previously qualified DNA examiners or\nanalysts who have successfully completed the FBI\xe2\x80\x99s training on the QAS Audit Document.\n      32\n           Additional analysis of the NDIS Audit Review Panel is covered under Finding III.\n\n\n\n                                           - 38 -\n\x0cconducted by CODIS Unit staff, but we recommend that the CODIS Unit\nmanagement have the authority to make changes and track performance for\nthese activities which is commensurate with its legislated role of oversight.\n\n      While the current performance measurements for the CODIS Unit\nappear to be reasonable and meaningful, we believe that the three activities\nwe identify should be formalized under the CODIS Unit\xe2\x80\x99s responsibility and\nincluded in its objectives and measurements to fully reflect the Unit\xe2\x80\x99s efforts\nto address its mission.\n\n\nCurrent Progress on CODIS Infrastructure\n\n      When we began our audit in May 2005, the FBI informed us that\nCODIS contractor activity, including the maintenance and operation of the\nCODIS system and software, was operating under a series of extensions to a\ncontract awarded in 1997. In our judgment, the continued use of contract\nextensions for that length of time, without a re-evaluation of the needs of\nthe system or the performance of the contractor, constituted a risk to the\nCODIS Unit\xe2\x80\x99s ability to provide for the long-term planning and development\nof the CODIS system. Based upon this information, we collected and\nassessed documentation on how CODIS Unit management oversees the\nCODIS infrastructure, including general operations, enhancements and\ndevelopment, and security and safeguards. 33\n\n\nCurrent Operations and Maintenance\n\n       The contractor for CODIS operations is the Science Applications\nInternational Corporation (SAIC), which the FBI has used for previous CODIS\noperational contracts. In FY\xe2\x80\x99s 1990 through the final contract extension that\nran through November 2005, the FBI paid SAIC approximately $71 million\nfor its work on CODIS. During our audit, the CODIS Unit Chief provided us\nwith a copy of that final extension. We determined that it covered not just\ncurrent operations and maintenance of CODIS, NDIS, and the FBI\'s SDIS\nsite under SAIC, but also arranged for the relocation of the NDIS site to the\nFBI\xe2\x80\x99s Quantico, Virginia, laboratory and the implementation of the one-time\nsearch authorized by the Justice for All Act of 2004.\n\n     In addition, in June 2005, the FBI Contract Review Board decided to\nauthorize a new contract solicitation that would cover the operations and\n\n      33\n          We did not perform a system-wide test or review of computer security controls.\nOur data reflects the information conveyed to us by the FBI.\n\n\n\n                                          - 39 -\n\x0cmaintenance of CODIS once the latest contract extension expired. The\nBoard approved the competition for a 1-year award with four additional\n1-year options. Proposals from bidding contractors were due in August\n2005. The contract solicitation spelled out the tasks that should be\naccomplished by the contractor, the specific deliverables, and the security\nrestrictions that should be expected and imposed on the contractor. Some\nof the tasks included:\n\n   \xe2\x80\xa2   task management and general support;\n\n   \xe2\x80\xa2   maintenance and support of the FBI\xe2\x80\x99s systems;\n\n   \xe2\x80\xa2   CODIS operational support;\n\n   \xe2\x80\xa2   technical support; and\n\n   \xe2\x80\xa2   corrections and enhancements.\n\nThe FBI awarded this contract to SAIC in September 2005. If all options are\nexercised, the operations and maintenance will be covered through\nSeptember 2010.\n\n       We also obtained feedback about the FBI\'s contractor through the\nsurvey we conducted of CODIS administrators (see Appendix VII, question\n26). The average response to our question about the contractor\'s overall\nperformance was a 4.5 on a scale of 1-5 (with 5 being excellent), which is a\npositive response of SAIC\xe2\x80\x99s performance.\n\n      In addition, according to the new CODIS Program Manager, the CODIS\nUnit will be actively seeking input from the CODIS community on whether\nthe SAIC help desk staff is adequate to meet the community\'s needs. Such\nfeedback will be crucial, because under the operations and maintenance\ncontract, SAIC will not be performing the scope of activities that it was under\nthe previous contract, and the help desk will be the main tool for providing\nservice to the CODIS community.\n\n\nImplementation of Legislated Expansions\n\n      The Justice for All Act, signed into law on October 30, 2004, authorized\nthe addition of an NDIS index for DNA profiles of indicted persons and the\nuse of a one-time search of profiles that were not previously permitted for\nstorage in NDIS against NDIS databases.\n\n\n\n                                    - 40 -\n\x0c      The FBI has made changes at the NDIS level to add the indicted\npersons index. In addition, we asked the CODIS Unit Chief about the\nimplementation of the one-time search provision. He stated that direct\nkeyboard access to NDIS is not currently possible at LDIS or SDIS sites.\nRather, in order to comply with the Justice for All Act, CODIS State\nAdministrators in November 2004 agreed to a manual or batch one-time\nsearch implementation. In May 2005, the CODIS Unit published a\nprocedure governing the searches that specifies the type of documentation\nthat must be maintained by the states, the certifications required to\ncomplete a search, and the rules for which profiles can be searched against\nwhich databases.\n\n      Two states began completing these searches on a test basis, and with\nthe distribution of an updated software version in November 2005, all CODIS\nlaboratories have the capability to complete the one-time searches. The\nnew CODIS software provides an automated mechanism for local\nlaboratories to create one-time search files and send them to their state\nlaboratories and then to NDIS. The CODIS software also currently allows for\nthe designation of appropriate specimen categories and tracks which\nsamples have already been searched, to preclude the searching of a sample\nmore than one time, in accordance with the federal legislation. This process\nwas demonstrated at a national CODIS meeting by staff of\nNDIS-participating laboratories.\n\n      Consequently, the primary aspects of the Justice for All Act have been\nfunctionally implemented. We note that this implementation took\napproximately 1 year, and included safeguards to prevent improper searches\nfrom occurring. 34\n\n\nFurther Development of CODIS\n\n      According to the CODIS Unit Chief, the FBI\xe2\x80\x99s Contract Review Board\ndetermined that the development portion of the CODIS contract should be\nhandled separately from operations and maintenance. Consequently, the\nCODIS Development Contract will be awarded with FY 2006 funding, with\nthe request for proposal expected to be announced in the spring of 2006.\nThe development contract will focus on, among other things, developing\nkinship analysis for missing persons capability.\n\n\n       34\n          As a result of the DNA Fingerprint Act, signed into law in 2006, one-time searches\nhave been eliminated because many of the profiles that could have been searched using\nthat provision can now be added directly to NDIS for routine searches.\n\n\n\n                                          - 41 -\n\x0c       In addition, an independent assessment looked at the ability of the\ncurrent CODIS architecture to support the Justice for All Act and also at the\nneed for expanded data storage due to the incorporation of additional DNA\nprofiles. 35 Findings from that assessment will be considered in developing\nthe solicitation for bids for the development contract. Of immediate import,\nthe independent assessment determined the Justice for All Act could be\nimplemented and operate over the next 3 to 5 years without exceeding\ncapacity of the current CODIS architecture.\n\n\nSafeguards for NDIS data\n\n      The FBI Security Division certified and accredited CODIS in\nMarch 2005 and granted a 3-year certificate of operation. The certification\nand accreditation process involves detailed analysis of the components and\npurpose of a system and the necessary safeguards to ensure its secure and\nsuccessful operation. Therefore, the CODIS system\xe2\x80\x99s certificate of operation\nprovides a measure of assurance that the technology and security have been\nproperly scrutinized.\n\n      In addition, the FBI stated that the CODIS data is safeguarded in\naccordance with a system security plan \xe2\x80\x93 all servers are routinely backed up,\nsystems can be restored using established back-up procedures and tapes,\nand additional back-up tapes are stored off-site. Also, the FBI has\nestablished a continuity of operations location at an FBI facility. The site will\nduplicate the NDIS site located in the FBI Laboratory and will allow\ncontinued service to the CODIS community in the event of a disaster.\n\n      Further, the FBI moved NDIS operations to the FBI\'s Quantico,\nVirginia, facility for security and enhancements. According to CODIS Unit\nmanagement, the move was completed successfully using detailed\nspecifications for stating what equipment needed to be moved and then\nmoving it, and testing the system before and after the move was completed.\nAlso, during that move, the NDIS hardware was upgraded, to include built-in\nredundancy that has resulted in faster searches.\n\n\n\n\n       35\n          This assessment was performed by the MITRE Corporation, a not-for-profit\norganization chartered to work in the public interest. MITRE possesses expertise in systems\nengineering, information technology, operational concepts, and enterprise modernization.\nMITRE also manages three federally funded research and development centers.\n\n                                          - 42 -\n\x0cInternal Controls over NDIS Searches\n\n       In general, the NDIS system is designed to only allow cross-searches\nof certain types of profiles, in keeping with legislated restrictions. For\nexample, relatives of missing persons profiles can only be searched against\nunidentified human remains profiles, not against forensic or offender\nprofiles. The NDIS procedures clearly document the limitations in place for\nhow the NDIS databases are searched. These limitations exist only at the\nNDIS level. For SDIS and LDIS, state and local laboratories are permitted to\nset the parameters for searching profiles at each level, based upon the state\nor local laws that govern those activities.\n\n      We also determined that the FBI had implemented system safeguards\nto ensure that NDIS-participating laboratories were performing one-time\nsearches in accordance with the Justice for All Act, specifically preventing\nunallowable repeat searches from occurring. 36 However, the DNA\nFingerprint Act, signed into law in 2006, eliminated the need for one-time\nsearches because any profiles that could have been searched using that\nprovision can now be added directly to NDIS for routine searches.\n\n\nConclusion\n\n      The FBI has taken measures to provide for the operations,\nmaintenance, and security of the CODIS system for the near future, by\nproviding the following:\n\n   \xe2\x80\xa2   a dedicated program manager to oversee CODIS operations and\n       contract management;\n\n   \xe2\x80\xa2   a contract in place with a company that has a documented ability to\n       handle CODIS operations in a satisfactory manner;\n\n   \xe2\x80\xa2   a continuity of operations plan and site, to ensure service to the\n       CODIS community in case of disaster; and\n\n   \xe2\x80\xa2   upgraded hardware capabilities and physical security enhancements\n       through moving the system to the Quantico, Virginia, FBI Laboratory\n       facility.\n\n\n\n       36\n          As stated previously, the Justice for All Act allowed a one-time search of certain\nDNA profiles, which were not allowed to be stored in NDIS, against NDIS databases.\n\n\n\n                                           - 43 -\n\x0c       However, continued progress is needed to ensure that the\ndevelopment contract process is completed as planned and that the\ndevelopment contract awarded allows for continued responsiveness to\nlegislated changes to CODIS operations.\n\nRecommendations\n\nWe recommend that the FBI:\n\n1.   Develop and implement a plan to ensure that all CODIS administrators\n     attend the FBI QAS auditor training.\n\n2.   Improve information sharing through enhancements to the CODIS\n     website, considering the suggestions made by the community and\n     implementing them wherever practicable. Particular attention should\n     be given to assisting viewers in finding all guidance available on a\n     topic and to using the website as a means of posting broadly\n     applicable questions received from laboratories throughout the CODIS\n     community and the relevant answers.\n\n3.   Distill profile allowability guidance, including scenarios that are\n     discussed at national meetings, into a decision-tree or other written\n     user-friendly guidance and disseminate that information to all CODIS\n     users. As other scenarios are posed individually, develop an electronic\n     library with situations and explanations that can be accessed by all\n     CODIS users, where appropriate.\n\n4.   Formally request that the Scientific Working Group on DNA Analysis\n     Methods consider, as part of its maintenance of the QAS, the\n     operational material weaknesses identified by the CODIS\n     administrators, including: (1) the inherent limitations of one-person\n     DNA laboratories, (2) uninvolved off-site technical leaders, and\n     (3) laboratories that upload profiles that have not been fully reviewed.\n\n5.   Ensure that guidance on submission of information to the NDIS Audit\n     Review Panel is sent to those members of CODIS labs that are\n     responsible for this activity.\n\n6.   Develop and utilize a mechanism for tracking information requests that\n     are received by the CODIS Unit to ensure a timely response.\n\n7.   Develop communications policies that will allow the CODIS Unit to\n     provide written guidance to members of the DNA community to the\n     fullest extent possible.\n\n\n                                   - 44 -\n\x0c8.    Develop a staffing plan that identifies current hindrances to filling\n      vacant positions in the CODIS Unit, potential solutions to those\n      hindrances, and a timeline of requirements for action to fill those\n      positions.\n9.    Develop written descriptions of routine activities and responsibilities\n      for current staff in the CODIS Unit, particularly those with multiple\n      roles, and incorporate this information in a procedure manual for each\n      position.\n\n10.   Incorporate the three activities we identified that are performed on\n      behalf of the CODIS Unit by other FBI personnel \xe2\x80\x93 auditing of NDIS\n      data, providing training on QAS compliance, and overseeing the\n      activities of the Review Panel \xe2\x80\x93 into the CODIS Unit\xe2\x80\x99s objectives and\n      measurements to fully reflect the CODIS Unit\xe2\x80\x99s efforts to address its\n      mission.\n\n11.   Ensure the development contract process is completed as planned and\n      that the development contract awarded allows for continued\n      responsiveness to legislated changes to CODIS operations.\n\n\n\n\n                                    - 45 -\n\x0cII.    TRENDS AND VULNERABILITIES REVEALED THROUGH AUDIT\n       RESULTS\n\n       Based on our analysis of the results of OIG CODIS audits completed in\n       FYs 2004 and 2005, as well as selected external QAS audits, we\n       determined that: (1) the FBI\xe2\x80\x99s internal controls over the proper\n       upload of forensic profiles to NDIS are inadequate; and (2) the FBI is\n       not tracking audit findings reviewed by the NDIS Audit Review Panel to\n       detect common and overturned findings, and therefore is unable to\n       ensure that QAS weaknesses or misunderstandings within the\n       community are addressed. These weaknesses leave the FBI\n       potentially vulnerable to undetected, inadvertent, or willful\n       non-compliance by CODIS participants, and consequently could\n       undermine the integrity of the CODIS Program.\n\n\nNeed for Additional Verification of Compliance with NDIS\nRequirements\n\n      The OIG CODIS laboratory audits were initially designed to support the\n2001 OIG audit, The Combined DNA Index System, which included audits of\neight laboratories. Since then, the OIG has completed an additional\n24 CODIS laboratory audits. (See Appendix V for a complete listing.) The\nobjective of these audits was to determine if the laboratories audited were in\ncompliance with standards governing CODIS activities. Specifically, we\nperformed testing to determine if the: (1) laboratory was in compliance with\nthe NDIS participation requirements; (2) laboratory was in compliance with\nthe QAS issued by the FBI; and (3) laboratory\xe2\x80\x99s DNA profiles in CODIS\ndatabases were complete, accurate, and allowable.\n\n       Criteria used for these audits included the QAS issued by the FBI in\n1998 and 1999; the NDIS Participation Requirements delineated in the\nparticipation MOU; and OIG-developed standards for profile completeness\nand accuracy, and timely response to CODIS matches. See Appendix IV for\nfurther details of the audit criteria for these laboratory audits.\n\n     Our analysis of trends generally focused on those audits completed in\nFYs 2004 and 2005. 37 We included 18 audits in our review and identified\n10 common findings. The findings were in three areas \xe2\x80\x93 compliance with\nNDIS participation requirements, compliance with the QAS, and proper\n\n\n\n       37\n          In our analysis, we included two audit reports for audits completed in FY 2005\nthat were not issued until early FY 2006.\n\n                                          - 46 -\n\x0cupload of forensic profiles to NDIS. 38 Figure 13 details the common findings\nwe identified.\n\n  Figure 13 \xe2\x80\x93 Finding Trends from 18 OIG CODIS Laboratory Audits\n\n  Non-compliance         No.                          No.                                   No.\n    with NDIS            of     Non-compliance        of      Improper Upload of            of\n   Requirements         Labs       with QAS          Labs   Forensic Profiles to NDIS      Labs\n\n Annual reminder               Insufficient access          A profile matching the\n forms were not          6     restrictions to DNA    2     victim of the crime was         4\n completed.                    laboratory space.            uploaded.\n External QAS audit\n                                                            Inaccurate profile\n reports were not\n                         6                                  identification numbers were     2\n forwarded to the FBI\n                                                            uploaded.\n in a timely manner.\n                                                            Profiles were not obtained\n                               Data integrity was                                           2\n                                                            from crime scene samples.\n                               not verified for\n                                                      2     Profiles were unverified due\n Potential NDIS                outsourced forensic\n                               samples.                     to laboratories\xe2\x80\x99 poor           3\n matches were not\n                         5                                  maintenance of case files.\n resolved in a timely\n manner.                                                    A profile matching a known\n                                                            person who was not a\n                                                                                            2\n                                                            suspected perpetrator was\n                                                            uploaded.\n  Total Number of\n                         17                           4                                     13\n      Findings\nSource: OIG analysis of OIG reports for FYs 2004 and 2005\n\n       Common findings occurred with greatest frequency in the two areas of\nreview that are audited primarily by the OIG: compliance with NDIS\nparticipation requirements and the proper upload of forensic profiles to\nNDIS. Currently, audits performed by scientists within the DNA laboratory\ncommunity do not include any analysis of compliance with NDIS participation\nrequirements, including profile allowability restrictions (excluding those\nportions of the requirements that overlap with the QAS). The FBI is in the\nprocess of hiring staff auditors for the CODIS Unit who could perform audits\nof NDIS compliance similar to those done by the OIG. However, the CODIS\nUnit Chief has stated that the plan for the CODIS staff auditors is to conduct\nQAS audits similar to those already being performed in the DNA community,\nwith a limited additional review of NDIS profiles. 39\n\n\n\n\n       38\n          We did not identify any common issues in the findings concerning proper upload\nof convicted offender profiles to NDIS.\n       39\n          Additional analysis of the role of CODIS auditors and their audit methodology is\ncontained in Finding III.\n\n                                            - 47 -\n\x0c       Further, we determined that the FBI currently relies upon the annual\nCODIS user certifications as the primary means of ensuring the compliance\nof NDIS data. 40 From the trends we noted, we conclude that this reliance is\ninsufficient for the following reasons.\n\n   \xe2\x80\xa2   Forensic profiles are supposed to be limited to those from crime-scene\n       evidence that do not unambiguously match the victim or other known\n       individual uninvolved in the crime. Further, documentation should be\n       maintained to demonstrate the allowability of NDIS profiles, and the\n       data in those profiles should be interpretable. As seen in Figure 13,\n       we noted 13 incidents of forensic profile findings that violated some\n       aspect of these restrictions. While these findings may represent a\n       small portion of the profiles we reviewed, the fact that forensic profiles\n       were improperly uploaded at 11 of 18 laboratories we audited indicates\n       that the annual certification forms have not been successful in\n       ensuring CODIS user compliance with profile allowability restrictions.\n\n   \xe2\x80\xa2   We found that 6 of 18 laboratories we audited had not completed\n       annual user certification forms as required. The forms are completed\n       by laboratories on a self-certification basis and are not required to be\n       submitted to the FBI.\n\n\nFlaws in the FBI\xe2\x80\x99s Oversight of QAS Audits\n\n      We requested and received from 41 state and local laboratories\nthroughout the CODIS community, documentation of the external QAS audit\nconducted at each laboratory and cleared by the Review Panel in 2004 and\n2005. 41 We analyzed this documentation for trends and statistics. We\ndetermined that specific facts within the documentation, such as dates the\naudits were submitted to the panel, were generally consistent with the FBI\xe2\x80\x99s\n\n\n\n       40\n           At the beginning of each calendar year, each laboratory\xe2\x80\x99s CODIS administrator is\nrequired by NDIS procedures to ensure that each CODIS user is reminded of the categories\nof DNA data accepted by NDIS. As part of that reminder, the CODIS administrator has\nindividual users certify that they have received their annual reminder and understand and\nwill abide by what DNA data is accepted by NDIS.\n\n       41\n           The NDIS Audit Review Panel is a group of volunteer members of the DNA\ncommunity who meet specific requirements, as well as FBI DNA staff members. The panel\nreviews all external QAS audits conducted at NDIS-participating laboratories across the\ncountry, with the purpose of ensuring consistent and thorough application of the QAS by the\nQAS auditors and appropriate and complete corrective action by the laboratories.\n\n\n\n                                          - 48 -\n\x0cReview Panel records. 42 Based on our review we found: (1) there were a\ntotal of 112 audit findings noted in the 41 audit reports, of which 11\n(10 percent) were overturned after examination by the Review Panel (see\nFigure 14); and (2) of the 41 audit reports, 6 had no findings (15 percent),\n28 shared a finding in common with another audit, and 7 had unique\nfindings. 43\n\n      We developed a matrix of the findings from the 41 external QAS audits\nthat were selected in our sample and noted several commonalities, as shown\nin Figure 14. The common findings are listed by QAS section number, with a\ndescription of the specific standard and finding that was implicated in a\nshared finding, the number of labs that shared in that finding, and the\nnumber of overturned findings for each QAS section. (See Appendix III for a\ndescription of each QAS section.)\n\n\n\n\n       42\n          This confirmation of accuracy allowed us to rely upon the FBI\xe2\x80\x99s Audit Review Panel\nrecords for our analysis of panel timeliness, as shown in Finding III.\n       43\n            Findings are overturned when the Review Panel determines that the finding was\nnot justified based upon the commonly accepted interpretation of the QAS. Often, for this\nto occur, the audited laboratory must challenge the finding to the Review Panel.\n\n                                          - 49 -\n\x0c              Figure 14 \xe2\x80\x93 Trends in QAS Audits Conducted and Reviewed\n              by the NDIS Audit Review Panel in 2004 through July 2005\n\n                                                                                             No. of\n QAS                                                                                No. of   Overturned\n Section      Description of Trends                                                 Labs*    Findings\n    5         Std. 5.3.2(b) Laboratories did not document which analysts were         4\n              competent to analyze bones or teeth.\n    6         Std. 6.1.4 Laboratories did not document cleaning or                    6          4\n              decontamination.\n    7         Std. 7.1.1 Tube labels were not unique identifiers.                     2\n              Std. 7.1.2 Chain-of-custody transfers were not fully documented.        5\n              Std. 7.1.4 Evidence was not secured properly or access limited.         2\n    8         Std. 8.1.3.3 No qualifying test was documented for new methods          2\n              in use.\n    9         Std. 9.2.1 Guidelines on quality control of critical reagents were      3\n              incomplete.\n              Std. 9.5 Check of procedures against a NIST-traceable standard          3          1\n              was not performed.\n              Std. 9.6 There was a lack of mixture interpretation guidelines.         4\n    10        Std. 10.2.1 Thermometers for temperature verifications were not         6\n              properly calibrated.\n              Std. 10.2.2 There was no documentation of critical equipment            3\n              calibrations.\n              Std. 10.3 Laboratories did not follow their own equipment               2\n              calibration or maintenance requirements.\n    11        Std. 11.1 Information in the case files was not properly                2\n              referenced.\n              Std. 11.1.1 Laboratories did not retain all records in a case file.     6          5\n              Std. 11.1.2 Information required for case reports was not               2\n              included.\n    12        Std. 12.1 cited in conjunction with a finding for Std. 17.1.1 for\n              databasing laboratories, that contractor data was not reviewed         N/A         1\n              properly. 44\n    15        Std. 15.2 A repeat finding was noted.                                   2\n    16        Std. 16.1 Training required by safety plan was not conducted or         5\n              documented.\n *Some laboratories were part of multiple shared findings within the same QAS section. Therefore, the\n numbers in this column cannot be totaled to reach the number of unique laboratories with common\n findings in each section of the QAS.\n\nSource: OIG analysis of 41 external QAS audits conducted in the CODIS community in 2004 and 2005\n\n\n\n\n         44\n            This finding was not part of a trend, but was overturned, and therefore we include\nit in our table to demonstrate the total number of overturned findings.\n\n                                                  - 50 -\n\x0c       As shown in Figure 14, the standards with common findings cover\nsignificant aspects of a laboratory\'s operations, including chain-of-custody\ndocumentation, labeling of evidence and security of evidence storage\n(7 laboratories); completeness of case file documentation (10 laboratories);\nguidelines for interpretation of mixed profiles (4 laboratories); and proper\nmonitoring of critical reagents (3 laboratories), equipment (10 laboratories),\nand procedures (3 laboratories).\n\n      In a few instances, we noted that some overturned findings were not\ncommunicated to the laboratories that challenged the findings. Rather, the\nlaboratories received correspondence that notified them that they were\nconsidered to be in compliance, with no acknowledgment that the finding\nwas overturned. For example, four laboratories challenged the finding cited\nagainst them for compliance with Standard 11.1.1. 45 The correspondence\nreceived from the FBI for those laboratories did not acknowledge this\nfinding, either to uphold or retract it. Instead, the FBI notified the\nlaboratories that they were deemed to be in compliance with the QAS,\nleaving laboratory officials to conclude that the finding was overturned. The\nFBI should ensure that, at a minimum, correspondence with the audited\nlaboratories clearly documents which findings have been overturned and the\nrationale behind that action.\n\n       In addition, we noted inconsistency with the way the Review Panel\nhandled some findings. For example, six different laboratories were cited for\nnon-compliance with Standard 6.1.4. However, when the Review Panel\nexamined the corresponding documentation, it overturned findings for the\nfour laboratories that challenged the finding, while making no adjustment for\nthe two laboratories that did not challenge it. We recognize that it is not the\nReview Panel\xe2\x80\x99s responsibility to challenge findings on behalf of laboratories,\nbut it would be appropriate, in our judgment, to directly provide the\nlaboratories that did not challenge these findings with the information that\nthe Review Panel had concluded in other similar instances.\n\n      Most significantly, we noted that the FBI is not formally tracking\ncommon and overturned findings. The CODIS Unit Chief stated during our\nfieldwork, conducted in May 2005, that his unit does not track the findings\nobserved in the reports that go through the Review Panel, and he did not\nindicate any plans to do so.\n\n      However, the current Review Panel chairperson stated that she does\nan informal tally of findings as a means of getting a sense of where there are\n\n       45\n        Standard 11.1.1 states, \xe2\x80\x9cThe laboratory shall maintain, in a case record, all\ndocumentation generated by examiners related to case analyses.\xe2\x80\x9d\n\n                                          - 51 -\n\x0ccommonalities. The chairperson provided information to the CODIS\ncommunity at a national meeting in November 2005, confirming these\nstatements. In her presentation, she touched on the issue related to four of\nthe overturned findings for Standard 6.1.4 that we noted in our analysis,\nmaking it clear that documentation of cleaning and decontamination in the\ncase file is not required. She further discussed the difference between a\nlaboratory\xe2\x80\x99s compliance with accreditation standards versus the QAS,\nreminding QAS auditors that there can be differences between the two. She\nalso stated that she is attempting to give QAS auditors feedback on findings\nthat were later overturned, but this feedback is done informally rather than\nsystematically in a written, formal context.\n\n       In addition, we determined that the previous chairperson also\ninformally tracked overturned and common findings in the audits to provide\nthat information to the CODIS community. In her November 2004\npresentation at a national CODIS community meeting, she addressed\nStandard 6.1.4, as well as the underlying issue for one of the overturned\nfindings we observed for standard 11.1.1. She also clarified the\nrequirements of Standard 9.5, which was included in one of the trends we\nnoted. However, these clarifications were again handled informally, rather\nthan through written guidance or policy updates.\n\n       We concluded that while in the last 2 years the FBI Review Panel\nchairpersons have generally gained a sense of the areas where common and\noverturned findings occur, that information is not tracked systematically and\ncompletely. Without a thorough understanding of trends in common\nfindings, the FBI cannot properly provide the CODIS community with the\nadditional guidance needed to remedy and prevent compliance weaknesses\nin the trend areas, which our analysis revealed to be significant components\nof a laboratory\xe2\x80\x99s operations.\n\n      Further, without a complete understanding of trends in overturned\nfindings, the FBI cannot take the necessary steps to prevent QAS auditors\xe2\x80\x99\ncontinued misunderstandings of compliance in those areas, to ensure that all\nQAS auditors obtain feedback on their performance, and to guide QAS\nauditors from other organizations \xe2\x80\x93 such as those who audit for accrediting\nbodies \xe2\x80\x93 toward a consistent interpretation and application of the standards.\n\n      Our CODIS administrator survey results demonstrate that the FBI\nshould track common and overturned findings. Specifically, the results to\nquestion 30, as discussed in Finding I, reveal that 13 percent of respondents\ndid not believe that the Review Panel has improved compliance in the DNA\ncommunity, because individual (or inconsistent) QAS auditor interpretations\nare still enforced. This sentiment was reiterated 161 times by a total of\n\n                                   - 52 -\n\x0c83 respondents in comments throughout the survey, demonstrating the\nmagnitude of the problem posed by inconsistent interpretation of the QAS.\n\n      Informing the CODIS community of common and overturned QAS\naudit findings serves as a valuable tool for continuing education in QAS\ncompliance for both the FBI\xe2\x80\x99s QAS auditor training courses, as well as for\nnational meetings where compliance is discussed. By tracking findings in a\nmanner similar to the exercise we performed, the FBI should be able to\naddress:\n\n   \xe2\x80\xa2   trends in overturned findings to better train QAS auditors and monitor\n       their performance;\n\n   \xe2\x80\xa2   inconsistencies between organizations on specific standards to better\n       communicate those inconsistencies to the heads of those\n       organizations; and\n\n   \xe2\x80\xa2   trends in common findings to better train the DNA community on\n       compliance.\n\n      Overall, we conclude that the FBI needs to develop more rigorous\ninternal controls to ensure that it has proper oversight over compliance with\nNDIS requirements. Further, the FBI should track audit findings to obtain\nthe type of information that will be beneficial to QAS auditors and audited\nlaboratories.\n\n\nRecommendations\n\nWe recommend that the FBI:\n\n12.    Ensure that the internal controls over the compliance of NDIS data are\n       strengthened beyond the current reliance on self-certification annual\n       reminder forms.\n\n13.    Implement a formal mechanism for tracking findings in audits\n       reviewed by the NDIS Audit Review Panel so that common findings and\n       inconsistencies in interpretation can be identified.\n\n14.    Implement a formal mechanism for tracking auditor performance so\n       that QAS auditors who use incorrect interpretations of the QAS can\n       adjust their performance and also so that the FBI can detect whether\n       individual QAS auditors require additional guidance.\n\n\n\n                                    - 53 -\n\x0c15.   Use these mechanisms to provide specific training to the DNA\n      community on common findings and inconsistencies observed, to aid\n      the DNA community\'s compliance, and to further improve consistency\n      between organizations and QAS auditors.\n\n\n\n\n                                  - 54 -\n\x0cIII.   ADDITIONAL CORRECTIVE ACTION NEEDED TO ADDRESS\n       PREVIOUS FINDINGS\n\n       Previous OIG audit findings identified the need to verify the compliance\n       of NDIS data, to ensure NDIS user compliance with NDIS\n       requirements, and to ensure that laboratories remedy QAS audit\n       findings. From our analysis of the FBI\xe2\x80\x99s corrective actions, we\n       determined that it has not yet implemented routine audits of NDIS\n       profiles and still relies on self-certification in confirming NDIS user\n       compliance with NDIS requirements. The FBI has made improvements\n       in the oversight of QAS compliance within the CODIS community,\n       including conducting QAS auditor training courses, the implementation\n       of a DNA community-wide audit document, and the creation of the\n       Review Panel to ensure consistent and thorough application of the QAS\n       and complete and appropriate corrective action to QAS audit findings.\n       However, we identified the need for improved Review Panel timeliness\n       and improved consistency in training through an emphasis on written\n       guidance.\n\n\nVerifying the Compliance of Data in NDIS\n\n      The FBI\xe2\x80\x99s corrective action approach to the OIG\xe2\x80\x99s 2001\nrecommendation to verify the compliance of data in NDIS was two-fold:\n(1) the FBI began requiring FBI QAS auditors to review CODIS profiles as\npart of their case file reviews (this action was initiated in June 2004), and\n(2) the FBI began taking steps to hire staff auditors who would\nsystematically audit the profiles contained in NDIS.\n\n      In 2004 and 2005, FBI QAS auditors completed a total of three audits\nduring which they confirmed that the profiles uploaded to NDIS from each\ncase they reviewed were complete, accurate, and allowable. FBI QAS\nauditor involvement in confirming NDIS profiles was to be a temporary\nmeasure until CODIS Unit auditors could be hired. Therefore, we assessed\nthe FBI\xe2\x80\x99s QAS auditor approach as a temporary measure and noted that\nimprovements could still be made.\n\n        We noted that these reviews cover three to five case files per active\nDNA examiner in the audited laboratory. We believe such a methodology is\ndeficient because of its limited scope. In the OIG\xe2\x80\x99s audits of forensic\nprofiles, a minimum of 50 profiles are selected randomly for review from a\nlist of the profiles currently in NDIS. This methodology permits a review of\nthe work of not only current but also past examiners, as well as profiles\nproduced by another laboratory and uploaded to NDIS by the auditee.\n\n\n                                     - 55 -\n\x0cFurther, this methodology ensures that for every case file OIG auditors\nreview, an NDIS profile has been uploaded. The FBI\xe2\x80\x99s methodology could\nmiss problems with profiles that were uploaded to NDIS on behalf of another\nlaboratory and would not assess profiles produced by any examiner not\ncurrently on staff at the laboratory. Consequently, we consider the review\nmethodology to be inadequate.\n\n       In addition, we observed that while there is a mechanism for\ndocumenting the results of the FBI QAS auditor\xe2\x80\x99s profile reviews, there is not\na mechanism for documenting and tracking how many profiles are confirmed\nduring these reviews or the frequency with which these reviews are\nconducted. For example, because FBI QAS auditors can look at 3 to 5 case\nfiles per active analyst in each laboratory audited, and because laboratories\nvary in the number of analysts employed, there is no way of knowing\nwhether 10 or 50 NDIS profiles are reviewed in the context of a particular\naudit. Considering the difficulty experienced in getting CODIS auditors on\nstaff, we believe the FBI should be tracking this information since this\n\xe2\x80\x9ctemporary\xe2\x80\x9d measure could continue for a period of years. Records should\nbe maintained to indicate the scope of the profile reviews that are performed\nto better reflect the extent to which the risk of non-compliance is being\nalleviated by this management control.\n\n      The CODIS Unit Chief intends for the new CODIS auditors to continue\nthe same scope of work to verify compliance with NDIS requirements that\nthe FBI QAS auditors currently perform. As a result, the methodology to\nreview profiles that we consider to be inadequate will continue once\npermanent CODIS auditors are on staff in the CODIS Unit. Further, the\nCODIS Unit Chief does not intend to review any other aspect of compliance\nwith NDIS requirements beyond the limited forensic profile review. This\napproach falls short of the changes intended by the OIG in the\nrecommendations from our earlier report. We believe the intended use of\nthe CODIS auditors is insufficient in light of the fact that the FBI is\nresponsible for ensuring compliance of NDIS participants and that no audits,\nother than the OIG\xe2\x80\x99s, are being conducted within the CODIS community to\nspecifically review compliance with NDIS requirements. For example, below\nwe note the inadequacy of the FBI\xe2\x80\x99s reliance on self-certification forms to\nensure user compliance with restrictions on data in NDIS. These forms\nserve as one example of the type of documentation that could be audited for\ncompliance if the FBI is to reconsider its intended use of CODIS auditors.\n\n\n\n\n                                    - 56 -\n\x0cContinued Reliance on Self-certification\n\n       During our prior audit, we found that 6 of 8 laboratories uploaded a\ntotal of 55 incomplete or unallowable DNA profiles to CODIS, out of the\n1,308 profiles we tested. As a result of these findings, the FBI began\nrequiring that at the beginning of each calendar year, each laboratory\xe2\x80\x99s\nCODIS administrator ensure that each CODIS user is reminded of the\ncategories of DNA data accepted at NDIS. 46 As part of that reminder, each\nCODIS administrator has CODIS users at their laboratory certify they have\nreceived their annual reminder and understand and will abide by what DNA\ndata is accepted at NDIS. An example of this form can be found in\nAppendix VI.\n\n      The certification or \xe2\x80\x9creminder\xe2\x80\x9d forms are handled on a self-certification\nbasis. Administrators sign a certification saying that the reminder forms\nwere completed by CODIS users in their laboratory, but the signed individual\nforms are not submitted to the FBI. Since the certification signed by an\nadministrator does not indicate the number or identity of CODIS users who\nsigned the form, there is no way for the FBI to confirm that all CODIS users\nhave completed the forms as required.\n\n      In addition, while the reminder forms were implemented as corrective\naction to our previous audit, one of the deficiencies noted under that audit\nwas the FBI\xe2\x80\x99s reliance upon self-certifications from CODIS participants. As\npreviously noted, OIG CODIS laboratory audits identified that CODIS users\nat 6 of 18 laboratories audited in FYs 2004 and 2005 did not complete the\nforms as required.\n\n      We recommend that the FBI revise its current certification process to\nrequire laboratories to list CODIS users who are certified each calendar year,\nwhich would enable the FBI to ensure that all users registered for each\nlaboratory have completed the forms. This action should be completed in\nconjunction with the FBI\xe2\x80\x99s response to the OIG\xe2\x80\x99s current related\nRecommendation No. 12, for greater oversight of compliance of NDIS data.\n\n\nImprovement in Oversight of QAS Audits\n\n      The FBI implemented various corrective action measures in response\nto previous OIG recommendations for greater oversight of QAS compliance\n\n\n       46\n           A CODIS user is any state or local laboratory employee who has log-in access to\nthe CODIS system or qualified DNA analysts who are responsible for producing the DNA\nprofiles stored in NDIS.\n\n                                          - 57 -\n\x0cand the adequacy of laboratories\xe2\x80\x99 responses to QAS audit findings. Specific\nchanges were:\n\n  \xe2\x80\xa2   To count toward the biannual audit requirement, the FBI implemented\n      a restriction that external QAS audits had to be performed by\n      FBI-trained QAS auditors, using the FBI-developed audit guide to\n      further consistency and thoroughness in the audits that are performed.\n\n  \xe2\x80\xa2   The FBI began requiring NDIS-participating laboratories to supply a\n      copy of each external QAS audit performed at their laboratory to the\n      CODIS Unit, along with all relevant corrective action documentation.\n      In addition, the FBI instituted the Review Panel to examine the audits\n      submitted to the FBI to confirm the scope and uniformity of the QAS\n      audits and to ensure that corrective action was completed for each\n      finding.\n\n      We analyzed several sources of documentation regarding the adequacy\nof these corrective action measures, including the results of the\nadministrator survey. The results of our analysis are stated below.\n\n\nQAS Audit Document and QAS Auditor Training\n\n       According to QAS Standard 15.1, a laboratory must conduct an annual\naudit to determine compliance with the QAS. Standard 15.2 requires that\nonce every 2 years, a second agency shall participate in the annual audit\n(referred to as \xe2\x80\x9cexternal QAS audit\xe2\x80\x9d). We determined that the FBI\nimplemented a requirement as of January 2002 that if a QAS audit was to\ncount toward meeting QAS Standard 15.2 for an external audit, the audit\nmust be conducted by FBI-trained QAS auditors. This measure assists the\nFBI in ensuring that the QAS auditors in the DNA community have been\nprovided guidance on the application of the QAS. The FBI also implemented\na requirement that the audits conducted in the CODIS community be\nperformed using the FBI\xe2\x80\x99s audit document. This document contains\ncomments and guidance on the accepted interpretation of the standards and\nalso assists the FBI in ensuring consistent and thorough application of the\nQAS to CODIS-participating laboratories. Both of these measures are\nsignificant in their scope and have allowed the FBI to greatly improve the\nDNA community\xe2\x80\x99s overall compliance with the QAS since our previous audit.\n\n      Based on the survey results and direct OIG experience with the QAS\nauditor training courses, we noted the need to ensure that training is based\non a comprehensive written curriculum and that the supplemental guidance\nprovided in the context of discussion sessions be documented for future\n\n\n                                   - 58 -\n\x0creference and verification of consistency. Currently, the auditor course is\nbased on a presentation given by the course instructors and is linked closely\nto what is contained in the QAS audit guide maintained by the FBI.\n\n       However, speaker notes that provide context and helpful interpretive\nguidance to course attendees are not available for public reference. Further,\nthe course instructors can include extemporaneous verbal guidance\nregarding specific standards that is not included in the presentation\nmaterials or in the audit guide on which the training is based. The verbal\nguidance or explanation given in these courses can result in\nmisunderstanding and therefore misapplied guidance. For example, in a\ncourse attended by an OIG manager, the speaker responded to a question\nregarding the use of contract employees for reviewing casework profiles.\nThat answer led to confusion as to the extent of the FBI\xe2\x80\x99s policy. The OIG\nattempted to contact various FBI personnel to clarify the point, but the\nincident served as an example of the misinterpretation that can occur when\nverbal guidance is given that is not directly linked to written guidance. The\ninconsistency between written and verbal guidance can impact both the QAS\nauditors, hindering their consistent and thorough assessment of compliance,\nas well as the auditees\xe2\x80\x99 understanding of their obligations under the\nstandards. Therefore, we believe the FBI needs to ensure that any\nsignificant verbal guidance given in each course is presented consistently\nwith written guidelines.\n\n       In addition, we obtained from the FBI\xe2\x80\x99s DNAUI Chief ways in which he\nbelieves the course could be improved. Particularly noteworthy was the\nsuggestion for web-based training tools, especially since 37 respondents to\nour CODIS administrator survey made a total of 51 comments regarding the\nuse of the CODIS website to offer better training and guidance resources.\nBased upon the support for this concept, we believe the FBI should design\nand implement web-based training tools as a supplement to the QAS auditor\ntraining courses being conducted. Such tools would allow those in the\nCODIS community who have not yet taken the QAS auditor training course\nto have access to the guidance and clarification they need to ensure\ncompliance. Administrator survey results indicate that 43 percent of those\nwho responded have not taken the QAS auditor training course.\n\n\nNDIS Audit Review Panel\n\n      In January 2002, the FBI instituted a requirement that all external\nQAS audits performed at NDIS-participating laboratories be provided, along\nwith corrective action documentation, to the Review Panel for examination\nand clearance. The Review Panel is comprised of volunteer qualified-DNA\n\n\n                                    - 59 -\n\x0cexaminers who have completed the FBI\xe2\x80\x99s QAS auditor training. Each audit is\nreviewed by four Review Panel members, two from the FBI and two from a\nstate or local forensic DNA laboratory. The Review Panel members provide\ntheir analysis of audit findings and corrective action and forward them to the\nReview Panel chairperson, who consolidates members\xe2\x80\x99 analyses and\noversees interactions with the audited laboratory. Requests for more\ninformation or clarification come from the Review Panel chairperson. When\nthe audit is closed (i.e., the FBI considers the laboratory to be in compliance\nwith the QAS), correspondence to that effect is sent by the NDIS Custodian\n(currently the CODIS Unit Chief).\n\n       Initially, our analysis of FBI data indicated a significant backlog and\ndelay in reviewing and closing the audits submitted to the Review Panel. In\nour judgment, such delays hinder the FBI\xe2\x80\x99s ability to ensure that CODIS\nparticipants are currently compliant with the QAS. The CODIS Unit Chief\nstated that he had taken steps to improve the efficiency of the Review Panel,\nincluding a tracking system to ensure timely and complete analysis and\nresponse to audits, and assigning a chairperson to the Review Panel who can\noversee it. Upon further review, we determined that improvement has been\nmade, as reflected in Figure 15.\n\n\n\n\n                                    - 60 -\n\x0c                  Figure 15 \xe2\x80\x93 Analysis of Improvement to NDIS Audit\n                        Review Panel Efficiency, 2003 to 2004 47\n\n\n                                   Audit Panel Efficiency\n\n\n            250                                        232\n\n            200\n\n\n            150\n                                                             91\n            100           81      72\n\n             50\n\n\n              0\n                       Audits Cleared            Avg. Days Spent\n\n                                   2003         2004\n\n      Source: OIG analysis of NDIS Audit Review Panel records\n\n       As can be seen, significant improvements reduced the overall average\nnumber of days spent from receipt of the audit to close of the audit from\n232 to 91 in just 1 year, while the number of audits cleared remained fairly\nstatic. Yet, we noted the following opportunities for additional improvement.\n\n  \xe2\x80\xa2   Review Panel members are required to return their review comments\n      to the chairperson in 30 days. However, we determined that the\n      average time taken in 2004 was 54 days, almost double the time\n      permitted. Although the FBI\xe2\x80\x99s ability to enforce that deadline is\n      limited, there is no tracking performed to detect Review Panel\n      members who are consistently and significantly late. We found\n      documentation that consistent delay was true of at least one Review\n      Panel member. The FBI should track Review Panel member timeliness\n      and implement measures that can be taken in the event that panel\n      members are consistently unable to meet the deadline. By remedying\n      this delay, we believe the FBI could improve average turnaround time.\n\n\n\n\n      47\n           All of our analysis was done based on calendar days.\n\n                                           - 61 -\n\x0c   \xe2\x80\xa2   As part of our review of audit trends in 41 external QAS audits, we\n       found that audits where follow-up with the auditee was required\n       averaged 22 days longer, and audits where findings were contested\n       averaged 47 days longer than audits where neither of these delays\n       occurred. By distributing written guidance to the CODIS community\n       regarding how to provide a complete package of information for the\n       panel, the FBI can limit the delays caused by the need to follow up on\n       incomplete information. This guidance must go to the members of the\n       DNA community who are actually compiling the information for the\n       panel. In addition, by ensuring that more members of the CODIS\n       community take the QAS auditor training and by addressing\n       consistency issues with the QAS auditor training, the FBI can reduce\n       the number of challenges to findings by ensuring the QAS auditors are\n       consistent with generally accepted interpretations, and the audited\n       laboratories are clear on what is expected for QAS compliance.\n\n   \xe2\x80\xa2   Finally, the FBI does not have a mechanism for ensuring compliance\n       with the requirement that all external QAS audits be submitted to the\n       Review Panel. While the FBI collects annual information from each\n       NDIS-participating laboratory regarding the audits that were\n       conducted in the preceding year (and in some cases, those that are\n       planned for the current year), there is no cross-check between this\n       information and the Review Panel records to confirm that copies were\n       received of all the external QAS audits conducted. Without a\n       cross-check, the FBI cannot ensure that it is receiving all of the\n       external QAS audits that are conducted at NDIS-participating\n       laboratories. Such a mechanism would require minimal setup and\n       could serve as an added management control to ensure compliance.\n\n      In conclusion, we believe the FBI should take action to ensure that its\nimplementation of past corrective action measures fully addresses the\nweaknesses identified in the OIG\xe2\x80\x99s previous audit report and to address\nadditional needs identified in this audit.\n\n\nRecommendations\n\nWe recommend that the FBI:\n\n16.    Broaden the current methodology used by FBI QAS auditors for NDIS\n       profile verification to permit the selection of profiles from each\n       laboratory\xe2\x80\x99s total profiles in NDIS. This revised methodology should\n       continue once CODIS Unit auditors are on staff.\n\n\n\n                                    - 62 -\n\x0c17.   Expand the scope of CODIS Unit auditor duties to include verification\n      of compliance with NDIS requirements.\n\n18.   Alter the annual user certification documentation required from\n      laboratories to include information sufficient to confirm that all CODIS\n      users are completing the forms as required.\n\n19.   Ensure that QAS auditor training is based upon a comprehensive\n      written curriculum, including guidance that reaches beyond the\n      contents of the audit document.\n\n20.   Develop web-based training tools for QAS compliance and auditing\n      information, to aid the CODIS community\xe2\x80\x99s awareness, understanding,\n      and consistent interpretation of the QAS.\n\n21.   Monitor NDIS Audit Review Panel member performance to ensure that\n      members are timely, and implement procedures for taking action in\n      cases where members are consistently untimely.\n\n22.   Track information currently collected from NDIS-participants to ensure\n      all external QAS audits reported to the CODIS Unit are also submitted\n      to the NDIS Audit Review Panel.\n\n\n\n\n                                    - 63 -\n\x0c                   STATEMENT ON COMPLIANCE WITH\n                       LAWS AND REGULATIONS\n\n      As required by the Government Auditing Standards, we tested FBI\nrecords pertaining to the administration of CODIS to obtain reasonable\nassurance about the FBI\xe2\x80\x99s compliance with laws and regulations that, if not\ncomplied with, could have a material effect on the administration of CODIS.\nCompliance with laws and regulations applicable to CODIS records at the\nnational index level is the responsibility of FBI management. An audit\nincludes examining, on a test basis, evidence about compliance with laws\nand regulations. The pertinent legislation and the applicable regulations it\ncontains are as follows:\n\n\nDNA Identification Act of 1994 48\n\n      The DNA Identification Act of 1994 authorized the establishment of a\nnational index of: (1) DNA identification records of persons convicted of\ncrimes, (2) analyses of DNA samples recovered from crime scenes, and\n(3) analyses of DNA samples recovered from unidentified human remains.\n\n      In addition, it specified several standards for those laboratories that\ncontribute profiles to the national index system, including proficiency testing\nrequirements for DNA analysts and privacy protection standards related to\nthe information in the national index system.\n\n      Finally, it established criminal penalties for individuals who knowingly\nviolate the privacy protection standards, and provided that access to the\nnational index system was subject to cancellation if the quality control and\nprivacy requirements were not met.\n\n\nJustice for All Act of 2004 49\n\n     This Act instituted material changes to the DNA Identification Act of\n1994, including the:\n\n   \xe2\x80\xa2   creation of a new indicted persons index;\n\n\n\n       48\n            Pub. L. No. 103-322 (1994).\n       49\n            Pub. L. No. 108-405 (2004).\n\n                                          - 64 -\n\x0c   \xe2\x80\xa2   expansion of the offenses for which federal and military offender\n       samples are collected;\n\n   \xe2\x80\xa2   enhancement of the criminal penalties for unauthorized use of NDIS;\n\n   \xe2\x80\xa2   authorization of one-time keyboard searches by all NDIS participants\n       of samples not normally included in NDIS (except for voluntarily\n       submitted elimination samples);\n\n   \xe2\x80\xa2   deletion of the separate requirement for semiannual external\n       proficiency tests (although it retained the separate requirement for\n       biannual external audits);\n\n   \xe2\x80\xa2   requirement for state and local forensic laboratories to be accredited\n       by a nationally recognized program within 2 years of enactment\n       (October 30, 2006); and\n\n   \xe2\x80\xa2   requirement for the FBI to report to Congress any plans to change the\n       "core genetic markers" 180 days prior to that change taking effect.\n\n\n\n                                \xe2\x99\xa6      \xe2\x99\xa6      \xe2\x99\xa6\n       Our tests revealed that the FBI was compliant with the above\nlegislation, as applicable to the activities during our audit period.\n\n\n\n\n                                     - 65 -\n\x0c              STATEMENT ON INTERNAL CONTROLS\n\n       In planning and performing our audit of CODIS, we considered the\nFBI\xe2\x80\x99s internal controls for the purpose of determining our auditing\nprocedures. In addition, we evaluated the process used by the FBI to\nmonitor the compliance of CODIS participants. The evaluation of the FBI\nwas not made for the purpose of providing assurance on the internal control\nstructure as a whole; however, we noted certain matters that we consider to\nbe reportable conditions under the generally accepted Government Auditing\nStandards.\n\n      Reportable conditions involve matters coming to our attention relating\nto significant deficiencies in the design or operation of the internal control\nstructure that, in our judgment, could adversely affect the FBI\xe2\x80\x99s ability to\nadminister the CODIS Program. We noted deficiencies relating to the FBI\xe2\x80\x99s\nadministration of CODIS, specifically the use of self-certification alone as a\ncontrol over NDIS-participant compliance with specific NDIS requirements,\ndiscussed in Findings I and III. We also noted deficiencies concerning the\nFBI\xe2\x80\x99s monitoring of NDIS-participants\xe2\x80\x99 compliance with the QAS and the\ntracking of instances of non-compliance, as discussed in Finding II.\nHowever, we did not consider these deficiencies to be a result of systemic\ninternal control issues.\n\n      Because we are not expressing an opinion on the FBI\xe2\x80\x99s internal control\nstructure as a whole, this statement is intended solely for the information\nand use of the FBI in administering CODIS.\n\n\n\n\n                                    - 66 -\n\x0c                                                                         APPENDIX I\n\n               OBJECTIVES, SCOPE AND METHODOLOGY\n\n      We conducted our audit in accordance with the Government Auditing\nStandards and included such tests as were considered necessary to\naccomplish the audit objectives. Our audit generally covered the period\nfrom October 2003 through November 2005, although in some instances it\nwas necessary to consider documentation from outside that timeframe. The\nobjectives of this audit were to:\n\n1.       assess the adequacy of the FBI\xe2\x80\x99s administration of CODIS, including its\n         oversight of the national DNA database;\n\n2.       analyze findings from DNA laboratory audits, both OIG-conducted\n         audits and external quality assurance audits, to determine if they\n         reveal trends and vulnerabilities; and\n\n3.       evaluate the FBI\xe2\x80\x99s implementation of corrective actions in response to\n         findings from the OIG\xe2\x80\x99s September 2001 audit, The Combined DNA\n         Index System. 50\n\n         To accomplish the objectives of this audit we:\n\n     \xe2\x80\xa2   Developed and conducted a survey of 174 NDIS participating\n         laboratories to obtain feedback from CODIS administrators on the FBI\xe2\x80\x99s\n         administration of CODIS.\n\n     \xe2\x80\xa2   Interviewed CODIS Unit management regarding staffing, position\n         responsibilities, and the planned timeline for filling vacant CODIS Unit\n         positions.\n\n     \xe2\x80\xa2   Interviewed FBI management regarding the mission, goals, objectives,\n         and performance measurements for the CODIS Unit, and obtained\n         copies of all supporting documentation for those strategic planning\n         items.\n\n     \xe2\x80\xa2   Reviewed contract and operations documents to verify the operation,\n         maintenance, and security of the CODIS System.\n\n\n\n\n         50\n        Department of Justice, Office of the Inspector General. Audit Report No. 01-26,\nThe Combined DNA Index System, September 2001.\n\n\n\n                                         - 67 -\n\x0c                                                                             APPENDIX I\n\n   \xe2\x80\xa2   Reviewed FBI documentation and interviewed FBI management to verify\n       that the proper changes have been made to the database as required by\n       the Justice for All Act of 2004.51\n\n   \xe2\x80\xa2   Reviewed FBI documentation and interviewed FBI management\n       regarding the current status and plans of each of the corrective action\n       measures implemented as a result of the prior OIG audit of CODIS.\n\n   \xe2\x80\xa2   Reviewed 18 OIG CODIS laboratory audits and identified trends in the\n       findings.\n\n   \xe2\x80\xa2   Reviewed a random sample of 41 external laboratory evaluation reports\n       and supporting documentation for corrective action taken, if any, to\n       determine if any trends or vulnerabilities could be detected from a\n       collective review of quality assurance laboratory findings. 52\n\n   \xe2\x80\xa2   Analyzed the tracking system maintained by the CODIS Unit for the\n       processing of audits through the NDIS Audit Review Panel (Review\n       Panel), to determine the efficiency of the process and the timeliness of\n       Review Panel member submissions on their assessment of each audit.\n\n      The following sections provide additional detail for work that specific\nactions listed in the preceding list.\n\n\nOIG CODIS Administrator Survey\n\n      Using information obtained during meetings with the FBI and CODIS\nadministrators, including issues that were raised during open discussion at\nthe SDIS administrator\'s meeting in May 2005, we developed a survey for\ncompletion by CODIS administrators at NDIS-participating laboratories. The\nsurvey provided us with feedback on the FBI\xe2\x80\x99s administration of CODIS and\nlaboratory concerns about quality issues or problems in the CODIS\ncommunity. We included open-ended and static-option questions. For those\nquestions where we provided static options, we included space for\n\n       51\n            Pub. L. No. 108-405 (2004).\n       52\n            The QAS require that laboratories undergo annual audits and, that at least every\nother year, the audit must be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These annual\naudits are not required by the QAS to be performed in accordance with the Government\nAuditing Standards (GAS) and are not performed by the Office of the Inspector General.\nTherefore, we will refer to the annual audits as evaluations (either an internal laboratory\nevaluation or an external laboratory evaluation, as applicable) to avoid confusion with our\naudit, which was conducted in accordance with GAS.\n\n                                           - 68 -\n\x0c                                                                 APPENDIX I\n\nmiscellaneous comments. In addition, we assured the CODIS administrators\nthat responses would be confidential and individual responses would not be\nsingled out in a way that could identify the source of the information.\n\n      After the initial draft of the survey was created, we tested the survey\non members of the CODIS community. We used information received from\nthe FBI to select experienced individuals to test the survey, being careful not\nto select CODIS administrators to preserve the universe for our final survey.\nWe contacted six members of the DNA community and all six responded.\nAdditional revisions were made to the survey based upon the test\nrespondents\xe2\x80\x99 comments, and were reflected in the final version.\n\n      The final version of the survey was e-mailed to 174 CODIS\nadministrators on June 7, 2005. A list of the CODIS participating\nlaboratories to which we sent the survey appears in Appendix II. CODIS\nadministrators were initially given until June 24, 2005, to complete the\nsurvey and return it via e-mail, fax, or U.S. mail. On June 21, 2005, we\nsent out a reminder e-mail and, on June 28, 2005, we sent out a third e-\nmail extending the deadline to July 7, 2005. We extended the deadline to\ngive non-responding states a chance to reply.\n\n      As of July 7, 2005 (the extended deadline), we had received 139\nsurveys. However, there were 6 states from which we still had not received\na response. In a final attempt to give these six states a chance to submit a\nsurvey we contacted them via e-mail on July 29, 2005.\n\n      After all the extensions (August 15, 2005 was the final cut-off date)\nwe still had not heard from Idaho and Rhode Island. We noted that a\nmember of the Connecticut laboratory had provided a response, but did so\nduring the test phase of the survey, and since the survey changed after that\nresponse was received, we could not include it in our results.\n\n       The survey contained 46 questions which were broken into seven\nsections: (1) demographics, (2) FBI CODIS Unit responsiveness,\n(3) allowability of DNA profiles, (4) laboratory quality, (5) general CODIS\noperations, (6) NDIS Audit Review Panel, and (7) FBI guidance to the CODIS\ncommunity.\n\n     Additional information about how we tallied the survey responses, and\na summary of the actual responses received can be found in Appendix VII.\n\n\n\n\n                                    - 69 -\n\x0c                                                                            APPENDIX I\n\nOIG CODIS Laboratory Audits\n\n       During our audit we analyzed a total of 18 OIG CODIS laboratory\naudits, of which 6 were issued in final for FY 2004 and 12 were issued in\nfinal for FY 2005. 53 A list of the 18 OIG CODIS laboratory audits is\ncontained in Appendix V.\n\n      We identified and analyzed trends from each audit specific to profile\nallowability as well as the number of findings for the five different QAS\nsections reviewed during the audits, as follows.\n\n   \xe2\x80\xa2   NDIS participation requirements,\n\n   \xe2\x80\xa2   quality assurance standards (QAS),\n\n   \xe2\x80\xa2   forensic profiles,\n\n   \xe2\x80\xa2   convicted offender profiles, and\n\n   \xe2\x80\xa2   other reportable matters.\n\n\nExternal QAS Evaluations\n\n      We tested the FBI\xe2\x80\x99s records for the Review Panel and the external QAS\nevaluations submitted to it. We judgmentally selected 10 participating\nstates and compared the FBI\xe2\x80\x99s electronic records against the written records\nused to create the electronic records. We found no material differences in\nthe tracking system. As a result we did not expand our sample and relied on\nthe information contained in the electronic records.\n\n      In addition to reviewing the tracking system for data reliability, we\ndetermined if delays in the process were significant, if the timeliness was\nimproving, and whether the Review Panel members were meeting the\n30-day deadline set forth in the NDIS procedures for reviewing audits. In\norder to see if the timeliness had improved we analyzed the information\ncontained in the FBI\xe2\x80\x99s records for both 2003 and 2004. 54\n\n\n\n\n       53\n          In our analysis, we included two audit reports for audits completed in FY 2005\nthat were not issued until early FY 2006.\n       54\n            All of our analysis was done based on calendar days.\n\n                                            - 70 -\n\x0c                                                               APPENDIX I\n\n      Working with the information provided to us from the FBI, we\ndetermined that there were 72 closed evaluations in 2004 and 11 closed\nevaluations in 2005. We tested 50 percent, or 41, of these evaluations.\n\n      We used random sample selection over the 2 years of interest since\nour goal was to conduct a trend analysis and to look at findings at more\nlaboratories. Further, we stratified our sample to ensure we selected a\npercentage of SDIS and LDIS laboratories representative of the whole\nuniverse. We excluded laboratories the OIG had already audited, to avoid\nrequesting information similar to what had been requested previously.\n\n      We notified the CODIS Unit Chief that we would be contacting the\nlaboratories to request copies of external QAS evaluations and related\ncorrespondence. We provided him with copies of any written\ncorrespondence we issued in order to acquire the documentation we needed\nto complete our review.\n\n     Using contact information obtained from the FBI we contacted CODIS\nadministrators for each of the laboratories and explained the following:\n\n  \xe2\x80\xa2   We were conducting an audit of the FBI\'s CODIS Unit, and in\n      connection with that, we needed to obtain documentation to confirm\n      the FBI\'s records for the Review Panel.\n\n  \xe2\x80\xa2   We had selected a sample of the evaluations conducted and cleared\n      from 2004 through July 2005, and their laboratory\xe2\x80\x99s evaluation was\n      one of those selected.\n\n  \xe2\x80\xa2   Since the FBI returns all documentation from the submitting\n      laboratories, we needed to obtain copies of documentation directly\n      from them.\n\n  \xe2\x80\xa2   For the evaluation selected (specific dates were provided), we needed\n      a copy of the completed evaluation document and any correspondence\n      that had been sent to or received from the FBI related to that\n      evaluation (not including complete corrective action documentation,\n      such as revised policies or procedures).\n\n      The 41 laboratories in our sample represent 19 states and 1 federal\nagency. We analyzed the evaluations in our sample for trends and statistics.\nSpecifically, we calculated:\n\n  \xe2\x80\xa2   the number of findings (based on QAS section numbers);\n\n\n\n                                   - 71 -\n\x0c                                                               APPENDIX I\n\n  \xe2\x80\xa2   the average number of findings per laboratory, with and without\n      adjustments for overturned findings;\n\n  \xe2\x80\xa2   the number and percentage of overturned findings; and\n\n  \xe2\x80\xa2   the number of laboratories with common findings, without common\n      findings, and with no findings, divided into categories of SDIS and\n      LDIS laboratories.\n\n      In our analysis, we relied upon the findings and conclusions of the QAS\nevaluators within the DNA community, and did not perform any assessment\nas to the scope of their work. In addition, we did not confirm whether those\nevaluators met the requirements for conducting external QAS evaluations,\nspecifically the requirement that they successfully complete the FBI\xe2\x80\x99s QAS\nauditor training.\n\n      We compared the documentation received from the laboratories to the\ninformation the FBI had provided in its Review Panel record spreadsheets, to\nverify accuracy of those records. We also tracked whether the Review Panel\nhad to follow up with the laboratories and whether findings were challenged\nby the laboratories, to determine if those issues impeded the timeliness of\nthe Review Panel process.\n\n\n\n\n                                   - 72 -\n\x0c                                                                   APPENDIX II\n\n               LIST OF SURVEYED LABORATORIES\n\n1.    Department of Forensic Science, South Birmingham, Alabama\n\n2.    Department of Forensic Science, Huntsville, Alabama\n\n3.    Department of Forensic Science, Mobile, Alabama\n\n4.    Department of Forensic Science, Montgomery, Alabama\n\n5.    Department of Forensic Science, South Birmingham, Alabama\n\n6.    Department of Forensic Science, South Birmingham, Alabama\n\n7.    Scientific Crime Detection, Anchorage, Alaska\n\n8.    State Crime Laboratory, Little Rock, Arkansas\n\n9.    Department of Public Safety Crime Laboratory, Flagstaff, Arizona\n\n10.   Police Department Crime Laboratory, Mesa, Arizona\n\n11.   Department of Public Safety Crime Laboratory, Phoenix, Arizona\n\n12.   Police Department Crime Laboratory, Phoenix, Arizona\n\n13.   Police Department Crime Laboratory, Scottsdale, Arizona\n\n14.   Department of Public Safety Crime Laboratory, Tucson, Arizona\n\n15.   Police Department Crime Laboratory, Tucson, Arizona\n\n16.   Kern County Regional Crime Laboratory, Bakersfield, California\n\n17.   California Department of Justice, Fresno, California\n\n18.   California Department of Justice, Richmond, California\n\n19.   Los Angeles County Sheriff\'s Department, Los Angeles, California\n\n20.   Los Angeles Police Department, Los Angeles, California\n\n21.   Contra Costa County Sheriff\'s Office, Martinez, California\n\n22.   Oakland Police Department Crime Laboratory, Oakland, California\n\n\n\n\n                                    - 73 -\n\x0c                                                                  APPENDIX II\n\n23.   Richmond Missing Persons Laboratory, Richmond, California\n\n24.   California Department of Justice DNA Laboratory, Richmond, California\n\n25.   Orange County Sheriff\'s Department, Santa Ana, California\n\n26.   District Attorney\'s Office Laboratory of Forensic Services, Sacramento,\n      California\n\n27.   California Department of Justice, Sacramento, California\n\n28.   Sheriff\'s Department Scientific Investigations Division, San Bernardino,\n      California\n\n29.   Sheriff\'s Department Crime Laboratory, San Diego, California\n\n30.   Police Department Forensic Science Section, San Diego, California\n\n31.   Police Department Criminalistics Laboratory, San Francisco, California\n\n32.   Santa Clara County District Attorney\'s Crime Laboratory, San Jose,\n      California\n\n33.   Sheriff\'s Department Crime Laboratory, Ventura, California\n\n34.   Alameda County Sheriff\'s Criminalistics Laboratory, San Leandro,\n      California\n\n35.   Colorado Bureau of Investigation Laboratory Section, Denver, Colorado\n\n36.   Colorado Bureau of Investigation Laboratory Section, Montrose,\n      Colorado\n\n37.   Colorado Bureau of Investigation Laboratory Section, Pueblo, Colorado\n\n38.   Denver Police Department Crime Laboratory, Denver, Colorado\n\n39.   State Police Forensic Science Laboratory, Meriden, Connecticut\n\n40.   Office of the Chief Medical Examiner, Wilmington, Delaware\n\n41.   Broward County Sheriff\'s Office, Fort Lauderdale, Florida\n\n42.   Miami-Dade Police Department, Miami, Florida\n\n\n\n\n                                    - 74 -\n\x0c                                                                   APPENDIX II\n\n43.   Florida Department of Law Enforcement, Jacksonville, Florida\n\n44.   Florida Department of Law Enforcement, Pensacola, Florida\n\n45.   Florida Department of Law Enforcement, Tampa, Florida\n\n46.   Florida Department of Law Enforcement, Tallahassee, Florida\n\n47.   Florida Department of Law Enforcement, Tallahassee, Florida\n\n48.   Florida Department of Law Enforcement, Orlando, Florida\n\n49.   Indian River Crime Laboratory, Fort Pierce, Florida\n\n50.   Palm Beach Sheriff\'s Office Crime Laboratory, West Palm Beach,\n      Florida\n\n51.   United States Army Criminal Investigation Laboratory, Forest Park,\n      Georgia\n\n52.   Georgia Bureau of Investigation, Decatur, Georgia\n\n53.   Georgia Bureau of Investigation, Savannah, Georgia\n\n54.   Honolulu Police Department DNA Laboratory, Honolulu, Hawaii\n\n55.   Iowa Department of Public Safety Division of Criminal Investigation,\n      Ankeny, Iowa\n\n56.   State Police Forensic Services, Meridian, Idaho\n\n57.   State Police Forensic Laboratory Biochemistry Section, Chicago, Illinois\n\n58.   DuPage County Sheriff\'s Crime Laboratory, Wheaton, Illinois\n\n59.   State Police Forensic Science Laboratory, Carbondale, Illinois\n\n60.   State Police Forensic Science Laboratory, Fairview Heights, Illinois\n\n61.   State Police Forensic Science Laboratory, Springfield, Illinois\n\n62.   State Police Forensic Science Laboratory, Springfield, Illinois\n\n63.   State Police Forensic Science Laboratory, Morton, Illinois\n\n\n\n                                     - 75 -\n\x0c                                                                   APPENDIX II\n\n64.   State Police Forensic Science Laboratory, Joliet, Illinois\n\n65.   State Police Forensic Science Laboratory, Rockford, Illinois\n\n66.   Marion County Forensic Services Agency, Indianapolis, Indiana\n\n67.   State Police Regional Laboratory, Lowell, Indiana\n\n68.   State Police Laboratory, Indianapolis, Indiana\n\n69.   Kansas Bureau of Investigation, Great Bend, Kansas\n\n70.   Johnson County Criminalistics Laboratory, Mission, Kansas\n\n71.   Sedgwick County Regional Forensic Science Center, Wichita, Kansas\n\n72.   Kansas Bureau of Investigation, Topeka, Kansas\n\n73.   Kansas Bureau of Investigation, Kansas City, Kansas\n\n74.   Kentucky State Police Forensic Laboratory, Frankfort, Kentucky\n\n75.   North Louisiana Criminalistics Laboratory, Shreveport, Louisiana\n\n76.   Acadiana Criminalistics Laboratory, New Iberia, Louisiana\n\n77.   Jefferson Parish Forensic Center DNA Laboratory, Metairie, Louisiana\n\n78.   Police Department Scientific Investigations Division, New Orleans,\n      Louisiana\n\n79.   State Police Crime laboratory, Baton Rouge, Louisiana\n\n80.   Police Crime Laboratory, Boston, Massachusetts\n\n81.   State Police Crime Laboratory, Sudbury, Massachusetts\n\n82.   Anne Arundel County Crime Laboratory, Millersville, Maryland\n\n83.   Baltimore County Police Department Forensic Services Division,\n      Towson, Maryland\n\n84.   Montgomery County Department of Police Crime Laboratory Forensic\n      Biology Unit, Rockville, Maryland\n\n\n\n                                     - 76 -\n\x0c                                                                APPENDIX II\n\n85.   Prince Georges County Police Department Crime Laboratory, Landover,\n      Maryland\n\n86.   Police Department Laboratory, Baltimore, Maryland\n\n87.   State Police Forensic Sciences Division, Pikesville, Maryland\n\n88.   State Police Crime Laboratory, Augusta, Maine\n\n89.   Hennepin County Sheriff\'s Office, Minneapolis, Minnesota\n\n90.   Minnesota Bureau of Criminal Apprehension, St. Paul, Minnesota\n\n91.   State Police Crime Laboratory, Lansing, Michigan\n\n92.   State Police Crime Laboratory, Northville, Michigan\n\n93.   State Police Crime Laboratory, Grand Rapids, Michigan\n\n94.   Police Forensic Services Division, Detroit, Michigan\n\n95.   State Police Crime Laboratory, Jackson, Mississippi\n\n96.   Metropolitan Police Department Laboratory Division, St. Louis, Missouri\n\n97.   St. Louis County Police Department Crime Laboratory, Clayton,\n      Missouri\n\n98.   State Highway Patrol Crime Laboratory Division, Jefferson City,\n      Missouri\n\n99.   Regional Crime Laboratory, Kansas City, Missouri\n\n100. Department Of Justice Forensic Science Division, Missoula, Montana\n\n101. State Patrol Crime Laboratory, Lincoln, Nebraska\n\n102. State Forensics Laboratory Department of Safety, Concord, New\n     Hampshire\n\n103. State Police Central Laboratory, Hamilton, New Jersey\n\n104. Criminalistics Laboratory Metropolitan Forensic Science Center,\n     Albuquerque, New Mexico\n\n\n\n                                    - 77 -\n\x0c                                                              APPENDIX II\n\n105. DNA ID System Administrative Center, Metropolitan Forensic Science\n     Center, North West Albuquerque, New Mexico\n\n106. Department of Public Safety, Santa Fe, New Mexico\n\n107. Metropolitan Police Department Forensic Laboratory, Las Vegas,\n     Nevada\n\n108. Washoe County Sheriff\'s Office, Reno, Nevada\n\n109. Erie County Central Police Services, Buffalo, New York\n\n110. Office of the Medical Examiner, Nassau County, East Meadow, New\n     York\n\n111. Suffolk County Crime Laboratory, Hauppauge, New York\n\n112. Office of the Chief Medical Examiner Department of Health, New York,\n     New York\n\n113. Monroe County Public Safety, Rochester, New York\n\n114. Onondaga County Crime Laboratory Center for Forensic Sciences,\n     Syracuse, New York\n\n115. Westchester County Department of Laboratories and Research,\n     Valhalla, New York\n\n116. State Police Crime Laboratory, Albany, New York\n\n117. Charlotte-Mecklenburg Police Crime Laboratory, Charlotte, North\n     Carolina\n\n118. Bureau of Investigation Crime Laboratory, Raleigh, North Carolina\n\n119. Office of Attorney General Crime Laboratory Division, Bismarck, North\n     Dakota\n\n120. Bureau of Criminal Investigation, Bowling Green, Ohio\n\n121. Canton/Stark County Crime Laboratory, Canton, Ohio\n\n122. Hamilton County Coroner\'s Laboratory, Cincinnati, Ohio\n\n\n\n\n                                   - 78 -\n\x0c                                                             APPENDIX II\n\n123. Cuyahoga County Coroner\'s Office, Cleveland, Ohio\n\n124. Police Department Crime Laboratory, Columbus, Ohio\n\n125. Miami Valley Regional Crime Laboratory, Dayton, Ohio\n\n126. Bureau of Criminal Investigation, London, Ohio\n\n127. Police Department Crime Laboratory, Mansfield, Ohio\n\n128. Lake County Regional Forensic Laboratory, Painesville, Ohio\n\n129. Bureau of Criminal Investigation, Richfield, Ohio\n\n130. State Bureau of Investigation, Oklahoma City, Oklahoma\n\n131. Police Department, Oklahoma City, Oklahoma\n\n132. Police Department Forensic Laboratory, Tulsa, Oklahoma\n\n133. Oregon State Police, Portland Metro Forensic Laboratory, Clackamas,\n     Oregon\n\n134. State Police, Bethlehem, Pennsylvania\n\n135. State Police, Greensburg, Pennsylvania\n\n136. Police Forensic Science Center DNA Identification Laboratory,\n     Philadelphia, Pennsylvania\n\n137. Allegheny County Division of Laboratories, Pittsburgh, Pennsylvania\n\n138. Estado Libre Asociado de Puerto Rico Instituto de Ciencias Forenses de\n     Puerto Rico Laboratorio de Criminalistica, San Juan, Puerto Rico\n\n139. Department of Health Forensic Laboratories, Providence, Rhode Island\n\n140. Law Enforcement Division, Columbia, South Carolina\n\n141. Richland County Sheriff\'s Department, Columbia, South Carolina\n\n142. Forensic Laboratory, Pierre, South Dakota\n\n143. Bureau of Investigation Crime Laboratory, Knoxville, Tennessee\n\n\n\n                                   - 79 -\n\x0c                                                                APPENDIX II\n\n144. Bureau of Investigation Crime Laboratory, Memphis, Tennessee\n\n145. Bureau of Investigation Crime Laboratory, Nashville, Tennessee\n\n146. Department of Public Safety Crime Laboratory, Austin, Texas\n\n147. Department of Public Safety Headquarters Laboratory, Austin, Texas\n\n148. Police Department, Austin, Texas\n\n149. Department of Public Safety Crime Laboratory, Corpus Christi, Texas\n\n150. Southwestern Institute of Forensic Sciences Dallas, Texas\n\n151. Department of Public Safety Crime Laboratory, El Paso, Texas\n\n152. Tarrant County Medical Examiner\'s Office, Fort Worth, Texas\n\n153. University of North Texas Health Science Center DNA Identification\n     Laboratory, Fort Worth, Texas\n\n154. Department of Public Safety Crime Laboratory, Garland, Texas\n\n155. Department of Public Safety Crime Laboratory, Houston, Texas\n\n156. Department of Public Safety Crime Laboratory, Lubbock, Texas\n\n157. Department of Public Safety Crime Laboratory, McAllen, Texas\n\n158. Bexar County Forensic Science Center, San Antonio, Texas\n\n159. Harris County Medical Examiner\'s Office, Houston, Texas\n\n160. Department of Public Safety Crime Laboratory, Waco, Texas\n\n161. Department of Public Safety Crime Laboratory, Salt Lake City, Utah\n\n162. Western Regional Forensic Laboratory, Roanoke, Virginia\n\n163. Northern Regional Forensic Laboratory, Fairfax, Virginia\n\n164. Eastern Regional Forensic Laboratory, Norfolk, Virginia\n\n165. Central Regional Forensic Laboratory, Richmond, Virginia\n\n\n\n                                   - 80 -\n\x0c                                                             APPENDIX II\n\n166. Department of Public Safety Forensic Laboratory, Waterbury, Vermont\n\n167. Crime Laboratory, Marysville, Washington\n\n168. State Patrol Crime Laboratory, Seattle, Washington\n\n169. State Patrol Crime Laboratory, Spokane, Washington\n\n170. State Patrol Crime Laboratory, Tacoma, Washington\n\n171. State Crime Laboratory, Madison, Wisconsin\n\n172. State Crime Laboratory, Milwaukee, Wisconsin\n\n173. State Police Crime Laboratory, South Charleston, West Virginia\n\n174. State Crime Laboratory, Cheyenne, Wyoming\n\n\n\n\n                                  - 81 -\n\x0c                                                                     APPENDIX III\n\n                                AUDIT CRITERIA\n\n      In this appendix, we summarize the sources of criteria that we used in\nthe completion of this audit. Note that we only list criteria specific to our\naudit of the FBI, versus the audit criteria used to complete the OIG\xe2\x80\x99s CODIS\nlaboratory audits (addressed in Appendix IV), the results of which we\nanalyzed for this audit.\n\n\nFederal Legislation\n\n       Various pieces of legislation have been enacted over the past 11 years\nthat have helped shape the CODIS program. Two of these have been the\nprimary instruments of creation and change, The DNA Identification Act of\n1994 and the Justice for All Act of 2004. 55 We used these items of\nlegislation as criteria to evaluate the FBI\xe2\x80\x99s administration of CODIS\n(Objective number one and two) and the FBI\xe2\x80\x99s implementation of corrective\nactions in response to previous OIG audit findings (Objective number three).\n\nThe DNA Identification Act of 1994\n\n      This Act authorized the FBI to establish and maintain CODIS. The Act\nalso established the DNA Advisory Board to compose standards for quality\nassurance with which CODIS-participating laboratories would have to comply\nand which the Director of the FBI could then formally institute. The Act also\nrequired the FBI to institute physical and electronic controls over the\ninformation in CODIS, which led to the creation of the NDIS Requirements. 56\n\n\nJustice for All Act of 2004\n\n      This Act consists of three sections, The Debbie Smith Act which\nexpands the database and allows for one-time keyboard searches, the DNA\nSexual Assault Justice Act which requires all laboratories to be accredited by\nOctober 30, 2006, and the Innocence Protection Act of 2004, which\nestablishes various provisions for post conviction DNA testing. A more\ndetailed description of each section is as follows. 57\n\n\n\n      55\n           Pub. L. No. 103-322 (1994); Pub. L. No. 108-405 (2004).\n      56\n           Pub. L. No. 103-322 (1994).\n      57\n           Pub. L. No. 108-405 (2004).\n\n\n\n                                          - 82 -\n\x0c                                                               APPENDIX III\n\n      Debbie Smith Act of 2004. Requires laboratories to implement\ncorrective action to findings identified in QAS audits, giving greater emphasis\nto the NDIS Audit Review Panel and the DNA community auditing\norganizations. Expands CODIS to include samples from indicted criminals,\nand expands the offenses for the Federal Convicted Offender Program to all\nfelons. This section also expands the authority for keyboard searches and\nincreases the penalties for misuse. It also, requires the FBI to report to\nCongress if changes are made to the CODIS "core genetic markers."\n\n      The DNA Sexual Assault Justice Act of 2004. Requires laboratories\nwho receive grant funds to be accredited, and reiterates the requirement for\nbiannual external audits that demonstrate compliance with the QAS. Also\nrequires accreditation by October 30, 2006.\n\n      Innocence Protection Act of 2004. This Act deals primarily with post-\nconviction DNA testing, when and how that testing will be made available,\nand how the results will be interpreted, including what is entered into NDIS\nand when those profiles can be retained.\n\n\nNDIS Participation Requirements\n\n      We considered one of the NDIS procedures, Review of External Audits,\nas part of our audit criteria, and tested compliance with the requirements\nthat apply to the FBI\xe2\x80\x99s performance, as excerpted below.\n\n\nQuality Assurance Standard Audit Review \xe2\x80\x93 General Overview (Section 5.0):\n\n       In response to a finding by the Office of the Inspector General (June,\n2001) that the self-certification of compliance with the FBI Director\xe2\x80\x99s QAS\nwas insufficient to ensure that audit findings, if any, were appropriately\nresolved, the FBI Laboratory developed a program to review the external\nQAS audits conducted at NDIS Participating Laboratories. Therefore, to fulfill\nits obligations under the DNA Identification Act of 1994, the FBI Laboratory\nwill review all external QAS audits of laboratories seeking to participate in\nNDIS and NDIS Participating Laboratories to evaluate any findings and\ndetermine if further action is warranted.\n\n      To facilitate the review process, NDIS Participating Laboratories shall\nforward the audit report to the NDIS Custodian upon their receipt of the\nreport. The NDIS Custodian will review the report and if there are no\nfindings, the review shall be deemed complete and the documentation\nreturned to the NDIS Participating Laboratory. If there are findings that do\n\n\n\n                                    - 83 -\n\x0c                                                              APPENDIX III\n\nnot relate to DNA and or a laboratory\xe2\x80\x99s participation in NDIS, the review\nshall also be deemed complete and the documentation returned to the NDIS\nParticipating Laboratory. However, if there are any findings relating to DNA\nor a laboratory\xe2\x80\x99s participation in NDIS, the report shall be forwarded to the\nNDIS Audit Review Panel, which will review the audit report and determine if\nthe findings have been addressed and resolved, as necessary. If there are\nno findings but comments are present, the external audit report shall be\nforwarded to the chairperson of the NDIS Audit Review Panel for review and\npossible action. If further action is warranted, the chairperson of the NDIS\nAudit Review Panel will follow up with the NDIS Participating Laboratory to\nresolve any outstanding issues. In the event that the NDIS Participating\nLaboratory fails to respond to the NDIS Audit Review Panel or that there\nappears to be non-compliance with the QAS, the matter shall be referred to\nthe NDIS Procedures Board (see Section 6.3) for further action in\naccordance with the DNA Identification Act of 1994.\n\n     All audit documents and related communications will be returned to\nthe NDIS Participating Laboratory for filing upon completion of the review\nprocess.\n\n\nNDIS Audit Review Panel (Section 6.2)\n\n     Once the audit documentation is received and forwarded by the NDIS\nCustodian, the chairperson of the NDIS Audit Review Panel shall review the\ndocumentation to ensure that the findings have been resolved and if\nnecessary, follow up with the NDIS Participating Laboratory.\n\n       There shall be multiple NDIS Audit Review Panels sufficient to address\nthe number of external QAS audits requiring review. An NDIS Audit Review\nPanel shall consist of five qualified or previously qualified DNA examiners or\nanalysts who have successfully completed the training on the QAS Audit\nDocument: (1) at least two of whom shall be representatives of state or\nlocal forensic DNA laboratories; and (2) at least two of whom shall be\nrepresentatives of the FBI. The FBI shall designate someone who shall serve\nas chairperson of each such Review Panel and shall have voting privileges.\nNDIS Audit Review Panel members shall provide their comments, if any, to\nthe chairperson of the NDIS Audit Review Panel.\n\n       NDIS Audit Review Panel members shall have 30 days to complete\ntheir review and communicate their findings to the chairperson of the NDIS\nAudit Review Panel. In the event any NDIS Audit Review Panel member is\nunable to perform their review within the 30 days, the Review Panel member\nshall notify the chairperson of the NDIS Audit Review Panel.\n\n\n\n                                    - 84 -\n\x0c                                                              APPENDIX III\n\nNDIS Procedures Board (Section 6.3)\n\n      The NDIS Procedures Board shall review all external QAS audits\nreferred to it by the NDIS Custodian.\n\n        In instances in which the NDIS Audit Review Panel is unable to resolve\na matter because of the NDIS Participating Laboratory\xe2\x80\x99s failure to clarify its\nposition or provide additional information, the NDIS Procedures Board shall\nsend a written request to the Laboratory Director requesting the\nclarification or information within two weeks. In the event that the\nLaboratory Director does not respond to the request for clarification or\ninformation within the requisite timeframe, the NDIS Procedures Board shall\nnotify the Laboratory Director in writing (with a copy to the appropriate\nAgency head) that the Participating Laboratory\xe2\x80\x99s failure to respond within\none week shall result in cancellation of that Laboratory\xe2\x80\x99s access to NDIS in\naccordance with the DNA Identification Act of 1994.\n\n       In instances in which the NDIS Audit Review Panel found that the NDIS\nParticipating Laboratory did not comply with the external QAS audit or QAS,\nthe NDIS Procedures Board shall send a written request to the Laboratory\nDirector requesting a response within two weeks. In the event that the\nLaboratory Director does not respond within the requisite timeframe, the\nNDIS Procedures Board shall notify the Laboratory Director in writing (with a\ncopy to the appropriate Agency head) that the Participating Laboratory\xe2\x80\x99s\nfailure to respond within one week shall result in cancellation of that\nLaboratory\xe2\x80\x99s access to NDIS in accordance with the DNA Identification Act of\n1994.\n\n\nQuality Assurance Standards\n\n       The QAS are one of the key sources of criteria for audits of\nCODIS-participating laboratories. Two sets of standards have been\ninstituted: (1) the Quality Assurance Standards for Forensic DNA Testing\nLaboratories effective October 1, 1998; and (2) the Quality Assurance\nStandards for Convicted Offender DNA Databasing Laboratories effective\nApril 1, 1999. While we did not use the QAS as direct criteria for this audit,\nwe did rely upon evaluations of QAS compliance completed by scientists\nwithin the DNA community for our assessment of QAS findings and trends.\nConsequently, we include here a general description of the QAS sections and\nthe topics covered by each section.\n\n   \xe2\x80\xa2   QAS Section 3 addresses standards regarding a laboratory\xe2\x80\x99s quality\n       assurance program.\n\n\n\n                                    - 85 -\n\x0c                                                           APPENDIX III\n\n\xe2\x80\xa2   QAS Section 4 addresses standards governing a laboratory\xe2\x80\x99s\n    organization and management, including requirements for specific\n    personnel roles and duties.\n\n\xe2\x80\xa2   QAS Section 5 addresses standards governing personnel qualifications\n    and responsibilities.\n\n\xe2\x80\xa2   QAS Section 6 addresses standards governing facility security and\n    quality control.\n\n\xe2\x80\xa2   QAS Section 7 addresses standards governing evidence or sample\n    control, security, and handling.\n\n\xe2\x80\xa2   QAS Section 8 addresses standards governing validation of methods\n    and procedures.\n\n\xe2\x80\xa2   QAS Section 9 addresses standards governing the scope, quality\n    control, and monitoring of analytical procedures.\n\n\xe2\x80\xa2   QAS Section 10 addresses standards governing equipment calibration\n    and maintenance.\n\n\xe2\x80\xa2   QAS Section 11 addresses standards governing reports and\n    corresponding case file records.\n\n\xe2\x80\xa2   QAS Section 12 addresses standards governing reviews of analytical\n    results, reports, and court testimony.\n\n\xe2\x80\xa2   QAS Section 13 addresses standards pertaining to proficiency testing,\n    including its nature, frequency, and documentation.\n\n\xe2\x80\xa2   QAS Section 14 addresses standards pertaining to corrective action\n    documentation and procedures.\n\n\xe2\x80\xa2   QAS Section 15 addresses standards governing requirements for\n    internal and external audits.\n\n\xe2\x80\xa2   QAS Section 16 addresses standards governing laboratory safety.\n\n\xe2\x80\xa2   QAS Section 17 addresses standards pertaining to outsourcing DNA\n    analysis to a contract laboratory.\n\n\n\n\n                                 - 86 -\n\x0c                                                                APPENDIX IV\n\n       AUDIT CRITERIA FOR CODIS LABORATORY AUDITS\n\n       In conducting the OIG\xe2\x80\x99s CODIS laboratory audits, we considered the\nfollowing elements of the NDIS participation requirements and the QAS.\nHowever, we did not test for compliance with elements that are not\napplicable to the laboratory. In addition, the OIG has established standards\nto test the completeness and accuracy of DNA profiles and the timely\nnotification of law enforcement when DNA profile matches occurred in NDIS.\nFurther, we considered applicable state legislation, specific to each location\naudited, as part of our testing of convicted offender DNA profiles.\n\n\nNDIS Participation Requirements\n\n      The NDIS participation requirements, which consist of the MOU and\nthe NDIS operational procedures, establish the responsibilities and\nobligations of laboratories that participate in NDIS. The MOU requires that\nNDIS participants comply with federal legislation and the QAS, as well as\nNDIS-specific requirements accompanying the MOU in the form of\nappendices. Audit criteria for the OIG CODIS laboratory audits includes the\nfollowing requirements from MOU Appendix A \xe2\x80\x93 NDIS Responsibilities.\n\n   \xe2\x80\xa2   Organizational Responsibilities (Requirement II.B.4) \xe2\x80\x93 Comply with FBI\n       requirements for safeguarding CODIS against unauthorized use,\n       including providing an appropriate and secure site for the NDIS system.\n\n   \xe2\x80\xa2   System Operation (Requirement III.B.2) \xe2\x80\x93 Ensure that appropriate\n       personnel are provided copies of, understand, and abide by the NDIS\n       operational procedures.\n\n   \xe2\x80\xa2   System Operation (Requirement III.B.3) \xe2\x80\x93 Identify in writing, in\n       prescribed form, personnel approved to access CODIS and ensure that\n       access to CODIS is limited to them.\n\n   \xe2\x80\xa2   Reporting and Record-keeping Requirements (Requirement VI.B.1) \xe2\x80\x93\n       Report on a monthly basis, confirmed NDIS matches to the FBI in a form\n       prescribed by the FBI.\n\n   \xe2\x80\xa2   Reporting and Record-keeping Requirements (Requirement VI.B.3) \xe2\x80\x93\n       Provide to the NDIS Custodian a written report of deletions or\n       modifications within 10 business days of discovering that a DNA record\n       requires deletion or modification.\n\n\n\n\n                                     - 87 -\n\x0c                                                                          APPENDIX IV\n\n   \xe2\x80\xa2   Reporting and Record-keeping Requirements (Requirement VI.B.4) \xe2\x80\x93\n       Maintain records on these personnel, including proficiency testing\n       records and any other report required by the FBI, for a period of 10\n       years.\n\n      Audit criteria for OIG CODIS laboratory audits also includes the\nfollowing operational procedures from MOU Appendix C - NDIS Procedures\nManual. 58 The remainder of the manual consists of sets of procedures\noutside the scope of the OIG CODIS laboratory audits.\n\n\nDNA Data Acceptance Standards 59\n\n   Interpretation of DNA Profiles (Sections 6.4.2 and 6.4.3) \xe2\x80\x93 Only forensic\nprofiles derived from forensic evidence matching the suspected perpetrators\nor an unknown individual can be uploaded to NDIS. Profiles clearly matching\nthe victim or any known person other than the suspected perpetrators\ncannot be uploaded to NDIS. In the case of mixtures, the profile must not\ncontain any portion of the analysis results that clearly belong only to the\nvictim; a mixture that cannot be clearly separated into a portion matching\nthe victim or other known person and the portion matching the suspected\nperpetrator is allowable.\n\n\nAdd a User from a Participating Laboratory to NDIS\n\n       Adding a State or Local CODIS User to NDIS (Section 4.0) \xe2\x80\x93 Adding\nstate or local CODIS users to NDIS can occur under two circumstances.\nFirst, users may be added when a state begins to participate in NDIS.\nSecond, users may be added periodically as states add new CODIS users.\nTo add a user, the designated state official will send a letter to the NDIS\nCustodian requesting the addition.\n\n       The letter must be accompanied by:\n\n   \xe2\x80\xa2   FD-484: Privacy Act explanation;\n\n   \xe2\x80\xa2   FD-258: Fingerprint (10 Print) card, two copies;\n\n       58\n          The manual, a collection of operational procedures to be followed for various\nprocesses pertinent to the functioning of NDIS, was actually issued separately from the\nMOU, although it is still considered an appendix to the MOU.\n       59\n          The MOU, Appendix B, addresses DNA data acceptance standards. We did not\ninclude Appendix B in our audit criteria because the DNA Data Acceptance Standards\xe2\x80\x99\noperational procedure addresses the same issues and is more current than Appendix B.\n\n\n\n                                          - 88 -\n\x0c                                                                APPENDIX IV\n\n   \xe2\x80\xa2   FD-816: Background Data Information Form;\n\n   \xe2\x80\xa2   CODIS user information;\n\n   \xe2\x80\xa2   External Proficiency Testing Document for each Qualified DNA Analyst;\n       and\n\n   \xe2\x80\xa2   DNA Data Acceptable at NDIS form for each user.\n\n      The letter shall include a certification by the designated state official\nthat all qualified DNA analysts being added will undergo external proficiency\ntesting as required by the DNA Identification Act and the MOU.\n\n\nDNA Data Accepted at NDIS\n\n       Annual Reminder for Users (Section 5.0) \xe2\x80\x93 At the beginning of each\ncalendar year, on an annual basis, the CODIS administrator shall ensure that\neach user (personnel who have log-in access to the CODIS system and or\nqualified DNA analysts who are responsible for producing the DNA profiles\nstored in NDIS) is reminded of the categories of DNA data accepted at NDIS.\nThe CODIS administrator shall then have each user confirm they have\nreceived their annual reminder and understand and will abide by the DNA\ndata acceptance requirements. Completed annual reminders for each user\nshall be filed and maintained by the CODIS administrator and available for\ninspection.\n\n\nReview of External Evaluations\n\n       Notification of External Evaluation and Forwarding of Evaluation\nDocuments (Section 6.1) \xe2\x80\x93 It shall be the responsibility of the NDIS\nParticipating Laboratory to arrange and schedule an external QAS evaluation\nonce every two years. After January 1, 2002, the NDIS Participating\nLaboratory shall have only those persons who have successfully completed\nthe FBI training course for the QAS Audit Document perform such external\nQAS evaluation. The NDIS Participating Laboratory shall notify the NDIS\nCustodian once the external QAS evaluation has been conducted and the\nevaluation report will be forwarded for review within 30 days of the\nlaboratory\xe2\x80\x99s receipt of the report. The NDIS Participating Laboratory shall\ninclude with the evaluation report any clarifications, responses and or\ncorrective action plans or documents (hereinafter referred to as \xe2\x80\x9cevaluation\ndocumentation\xe2\x80\x9d), as appropriate. The NDIS Custodian shall acknowledge\nthis communication. If the NDIS Participating Laboratory is unable to\nforward the required evaluation documentation within 30 days, the NDIS\n\n\n\n                                     - 89 -\n\x0c                                                                APPENDIX IV\n\nParticipating Laboratory shall notify the NDIS Custodian to request an\nextension of time for sending the required evaluation documentation.\n\n\nConfirming an Interstate Candidate Match\n\n      Responsibilities (Sections 3.2 and 4.2) and Procedures (Sections 3.3\nand 4.3) \xe2\x80\x93 Candidate matches must be resolved within 30 calendar days.\nResolution is refuting or confirming that the candidate match is a valid\nmatch. Laboratories are to document the disposition of a candidate match.\nFurther, for confirmed matches, the documentation is to include the\ninteraction between the two laboratories and the notification to law\nenforcement of the match for unsolved cases.\n\n\nExpunging a DNA Profile\n\n       Responsibilities (Section 3.0) \xe2\x80\x93 Included in the DNA Analysis Backlog\nElimination Act of 2000 was a requirement for states to expunge the DNA\nprofiles of persons whose qualifying convictions had been overturned. This\nAct was effective December 19, 2001, and requires that states participating\nin NDIS \xe2\x80\x9cshall promptly expunge from that index the DNA analysis (DNA\nprofile) of a person included in the index by that state if the responsible\nagency or official of that state receives, for each conviction of the person of\nan offense on the basis of which that analysis (profile) was or could have\nbeen included in the index, a certified copy of a final court order establishing\nthat such conviction has been overturned.\xe2\x80\x9d\n\n     A participating state shall have procedures in place for expunging a\nDNA profile, regardless of whether or not its state DNA law requires it.\n\n\nQuality Assurance Standards\n\n      The FBI issued two sets of quality assurance standards \xe2\x80\x93 the Quality\nAssurance Standards for Forensic DNA Testing Laboratories, effective\nOctober 1, 1998, (Forensic QAS); and the Quality Assurance Standards for\nConvicted Offender DNA Databasing Laboratories, effective April 1, 1999,\n(Offender QAS). The Forensic QAS and the Offender QAS describe the\nquality assurance requirements that the laboratory should follow to ensure\nthe quality and integrity of the data it produces.\n\n      For the OIG CODIS laboratory audits, we generally relied on the\nreported results of the laboratory\xe2\x80\x99s most recent annual external evaluation\n\n\n\n                                     - 90 -\n\x0c                                                                 APPENDIX IV\n\nto determine if the laboratory was in compliance with the QAS. Additionally,\nwe performed audit work to verify that the laboratory was in compliance\nwith the quality assurance standards listed below, because they have a\nsubstantial effect on the integrity of the DNA profiles uploaded to NDIS.\n\n  \xe2\x80\xa2   Facilities (Forensic QAS and Offender QAS Standard 6.1) \xe2\x80\x93 The\n      laboratory shall have a facility that is designed to provide adequate\n      security and minimize contamination.\n\n  \xe2\x80\xa2   Evidence Control (Forensic QAS Standards 7.1 and 7.2) \xe2\x80\x93 The laboratory\n      shall have and follow a documented evidence control system to ensure\n      the integrity of physical evidence. Where possible, the laboratory shall\n      retain or return a portion of the evidence sample or extract.\n\n  \xe2\x80\xa2   Sample Control (Offender QAS Standard 7.1) \xe2\x80\x93 The laboratory shall\n      have and follow a documented sample inventory control system.\n\n  \xe2\x80\xa2   Analytical Procedures (Forensic QAS Standard 9.4 to 9.4.2 and Offender\n      QAS Standard 9.3 to 9.3.2) \xe2\x80\x93 The laboratory shall monitor the analytical\n      procedures using appropriate controls and standards.\n\n  \xe2\x80\xa2   Review (Forensic QAS Standard 12.1) \xe2\x80\x93 The laboratory shall conduct\n      administrative and technical reviews of all case files and reports to\n      ensure conclusions and supporting data are reasonable and within the\n      constraints of scientific knowledge.\n\n      (Offender QAS Standard 12.1) \xe2\x80\x93 The laboratory shall have and follow\n      written procedures for reviewing database sample information, results,\n      and matches.\n\n  \xe2\x80\xa2   Evaluations (Forensic QAS and Offender QAS Standards 15.1 and\n      15.2) \xe2\x80\x93 The laboratory shall conduct evaluations annually in accordance\n      with the QAS. Once every two years, a second agency shall participate\n      in the annual evaluation.\n\n  \xe2\x80\xa2   Subcontractor of Analytical Testing for which Validated Procedures Exist\n      (Forensic QAS and Offender QAS Standard 17.1) \xe2\x80\x93 A laboratory\n      operating under the scope of the QAS will require certification of\n      compliance with these standards when a subcontractor performs DNA\n      analyses for the laboratory. The laboratory will establish and use\n      appropriate review procedures to verify the integrity of the data received\n      from the subcontractor. When a subcontractor analyzes convicted\n      offender samples, these procedures must include, but are not limited to\n\n\n\n\n                                     - 91 -\n\x0c                                                                  APPENDIX IV\n\n      random re-analysis of samples, visual inspection and evaluation of\n      results or data, inclusion of quality control samples, and on-site visits.\n\n\nOffice of the Inspector General Standards\n\n     The OIG has established standards to test the completeness and\naccuracy of DNA profiles and the timely notification of law enforcement when\nDNA profile matches occur in NDIS. We test for compliance with these\nstandards as part of our CODIS laboratory audits.\n\n  \xe2\x80\xa2   Completeness of DNA Profiles \xe2\x80\x93 A profile must include all the loci for\n      which the analyst obtained results. Our rationale for this standard is\n      that the probability of a false match among DNA profiles is reduced as\n      the number of loci included in a profile increases. A false match would\n      require the unnecessary use of laboratory resources to refute the match.\n\n  \xe2\x80\xa2   Accuracy of DNA Profiles \xe2\x80\x93 The values at each locus of a profile must\n      match those identified during analysis. Our rationale for this standard is\n      that inaccurate profiles may: (1) preclude DNA profiles from being\n      matched and, therefore, the potential to link convicted offenders to a\n      crime or to link previously unrelated crimes to each other may be lost;\n      or (2) result in a false match that would require the unnecessary use of\n      laboratory resources to refute the match.\n\n  \xe2\x80\xa2   Timely Notification of Law Enforcement When DNA Profile Matches Occur\n      in NDIS \xe2\x80\x93 Laboratories should notify law enforcement personnel of NDIS\n      matches within 2 weeks of the match confirmation date, unless there\n      are extenuating circumstances. Our rationale for this standard is that\n      untimely notification of law enforcement personnel may result in the\n      suspected perpetrator committing additional, and possibly more\n      egregious crimes, if the individual is not deceased or already\n      incarcerated for the commission of other crimes.\n\n\n\n\n                                      - 92 -\n\x0c                                                              APPENDIX V\n\n DOJ OIG CODIS LABORATORY AUDITS, FYS 2000 \xe2\x80\x93 2006\n\nFY 2000 Audits\n\nAudit Report Number GR-80-00-009, Broward County Sheriff\xe2\x80\x99s Office Crime\nLaboratory, Fort Lauderdale, Florida, April 2000.\n\nAudit Report Number GR-80-00-011, Florida Department of Law\nEnforcement Tallahassee Regional Crime Laboratory, May 2000.\n\nAudit Report Number GR-80-00-013, Miami-Dade Police Department Crime\nLaboratory Bureau, Miami, Florida, June 2000.\n\nAudit Report Number GR-40-00-013, North Carolina State Bureau of\nInvestigation Crime Laboratory, Raleigh, North Carolina, June 2000.\n\nAudit Report Number GR-90-00-019, California Department of Justice\nBerkeley DNA Laboratory, Berkeley, California, July 2000.\n\nAudit Report Number GR-50-00-025, Illinois State Police Springfield DNA\nLaboratory, Springfield, Illinois, August 2000.\n\nAudit Report Number GR-70-00-017, Pennsylvania State Police Greensburg\nDNA Laboratory, Greensburg, Pennsylvania, September 2000.\n\nAudit Report Number GR-30-00-005, Virginia Division of Forensic Science\nCentral Laboratory, Richmond, Virginia, September 2000.\n\n\nFY 2001 Audits\n\nAudit Report Number GR-80-01-005, Arkansas State Crime Laboratory, Little\nRock, Arkansas, January 2001.\n\nAudit Report Number GR-50-01-003, Minnesota Bureau of Criminal\nApprehension Forensic Science Laboratory, St. Paul, Minnesota, March 2001.\n\nAudit Report Number GR-80-01-010, Texas Department of Public Safety\nHeadquarters Laboratory, Austin, Texas, April 2001.\n\nAudit Report Number GR-40-01-004, Kentucky State Police Forensic\nLaboratory, Frankfort, Kentucky, May 2001.\n\n\n\n\n                                   - 93 -\n\x0c                                                              APPENDIX V\n\nFY 2002 Audits\n\nAudit Report Number GR-90-02-003, Orange County Sheriff-Coroner\nForensic Science Services, Orange County, California, October 2001.\n\nAudit Report Number GR-90-2-007, Portland Forensic Laboratory, Portland,\nOregon, December 2001.\n\n\nFY 2004 Audits\n\nAudit Report Number. GR-70-04-006, Office of the Chief Medical Examiner\nForensic Sciences Laboratory, Wilmington, Delaware, May 2004.\n\nAudit Report Number GR-40-04-006, Georgia Bureau of Investigation\nDivision of Forensic Sciences Laboratory, Decatur, Georgia, June 2004.\n\nAudit Report Number GR-30-04-005, Baltimore City Police Department\nCrime Laboratory, Baltimore, Maryland, July 2004.\n\nAudit Report Number GR-60-04-009, Nebraska State Patrol Crime\nLaboratory, Lincoln, Nebraska, July 2004.\n\nAudit Report Number GR-30-04-006, Montgomery County Police Department\nCrime Laboratory, Rockville, Maryland, September 2004.\n\nAudit Report Number GR-90-04-015, San Diego Police Department Forensic\nScience Section, San Diego, California, September 2004.\n\n\nFY 2005 Audits\n\nAudit Report Number GR-40-05-002, United States Army Criminal\nInvestigation Laboratory, Forest Park, Georgia, October 2004.\n\nAudit Report Number GR-50-05-001, Kansas City Police Crime Laboratory,\nKansas City, Missouri, November 2004.\n\nAudit Report Number GR-70-05-005, New Jersey State Police Forensic\nScience Laboratory Bureau, Hamilton, New Jersey, December 2004.\n\nAudit Report Number GR-70-05-009, The City of New York Office of Chief\nMedical Examiner Department of Forensic Biology, New York, New York,\nFebruary 2005.\n\n\n\n                                   - 94 -\n\x0c                                                               APPENDIX V\n\nAudit Report Number GR-60-05-005, Colorado Bureau of Investigation\nDepartment of Public Safety DNA Laboratory, Denver, Colorado, April 2005.\n\nAudit Report Number GR-70-05-011, State of Connecticut Forensic Science\nLaboratory, Meriden, Connecticut, April 2005.\n\nAudit Report Number GR-40-05-007, South Carolina Law Enforcement\nDivision Forensic Services laboratory, Columbia, South Carolina, May 2005.\n\nAudit Report Number GR-40-05-008, Florida Department of Law\nEnforcement Tampa Bay Regional Operations Center, Tampa, Florida,\nMay 2005.\n\nAudit Report Number GR-50-05-011, State of Michigan, Department of State\nPolice Lansing Forensic Science Laboratory, June 2005.\n\nAudit Report Number GR 60-05-009, Arizona Department of Public Safety\nScientific Analysis Bureau DNA Laboratory, Phoenix, Arizona, June 2005.\n\n\nFY 2006 Audits\n\nAudit Report Number GR-90-06-001, California Department of Justice\nBureau of Forensic Services Fresno Regional Laboratory, Fresno, California,\nNovember 2005\n\nAudit Report Number GR-40-06-002, State of Mississippi Department of\nPublic Safety Mississippi Crime laboratory Jackson, Mississippi. December\n2005\n\n\n\n\n                                   - 95 -\n\x0c                             APPENDIX VI\n\nCODIS USER ANNUAL REMINDER FORM\n\n\n\n\n             - 96 -\n\x0c         APPENDIX VI\n\n\n\n\n- 97 -\n\x0c                                                             APPENDIX VII\n\n              OIG CODIS ADMINISTRATOR SURVEY\n\n     The following guidance was provided to the survey respondents at the\nbeginning of the survey:\n\n      As a rule, please select only one answer to each of the survey\n      questions. Guidance on how to interpret the question is\n      presented in italics. Note that throughout the survey, \xe2\x80\x9cNDIS\n      requirements\xe2\x80\x9d is used to refer to all of the requirements with\n      which an NDIS-participating laboratory has to comply to use and\n      maintain their CODIS system, including the NDIS operating\n      procedures and NDIS data acceptance standards. However, we\n      do distinguish NDIS requirements from the QAS, even though\n      compliance with the QAS is required for NDIS participation.\n\n       Survey respondents were also instructed to provide their responses\ndirectly to the OIG, with no copy to any other organization, such as the FBI,\nthe National Institute of Justice, or accrediting organizations.\n\n      Below, we describe our strategy for tallying the survey responses, as\nwell as give a list of the survey results, by question.\n\n\nTallying of Survey Responses\n\n      A few different systems were devised that would allow us to\nsummarize the survey results as well as calculate averages and percentages\nfor various questions. The system was based on the type of question and\nthe calculation that would best portray the results of that question.\n\n      We tallied the number of \xe2\x80\x9cyes\xe2\x80\x9d and \xe2\x80\x9cno\xe2\x80\x9d responses for questions 5, 23,\n27, 33, 36, 37, 38, 39, 40, and 41. In addition, we assigned a number value\nto questions, 1, 3, 4, 11, 16, 32, 34, 42, 44b, and 46, but the numbers had\nno positive or negative significance.\n\n      Questions 7, 8a, 9, 10, 13, 14, 17, 18, 21, 22, 26, 28, 29, 35, 43, and\n44a were assigned a numerical value where the numbers had a positive or\nnegative implication, moving from negative to positive as the numbers\nbecame larger. For questions 2, 8b, 12, 19, 20, 30, and 45 we created our\nown alpha key (i.e., we assigned alphabetic designators, similar to\nacronyms, that allowed us to tally the responses in the limited space of our\nspreadsheet).\n\n\n\n\n                                    - 98 -\n\x0c                                                              APPENDIX VII\n\n       Tallying results for question 15 was more complex than the other\nquestions because there was not typically one correct response for the\nscenarios given in the question. To each scenario, respondents could select\n"Yes," "Yes, under the following conditions," or "No, for the following\nreason(s)." As a result we developed a complex grading matrix that could\nhelp us evaluate the different factors that a respondent could cite to justify\ntheir response. We distinguished between primary, secondary, and\nperipheral factors that would need to be considered in evaluating each\nscenario. Some scenarios were simpler and did not have that many factors,\nbut the more complex scenarios had many factors. From that we developed\na grading scale where responses were graded based upon the number of\nfactors that they provided. The scale was 1 to 5, with 1 = poor,\n2 = marginal, 3 = adequate, 4 = good, and 5 = exceptional. We averaged\nthe grades, but also tracked the number of "1" responses, or \xe2\x80\x9cpoor\xe2\x80\x9d\nresponses received.\n\n      For questions 24 and 25 we summarized the comments into phrases.\nThen we categorized the phrases and grouped them into similar categories.\nFor questions 6 and 31 the actual percentages and dates given by the\nrespondents were used.\n\n      In addition, 26 of the questions allowed respondents to provide\ncomments. Some comments were modified slightly by auditors to correct\nfor grammar and sentence structure. The 26 questions were 8, 13, 11, 17\n(in two separate places), 20 (in two separate places), 23, 27, 28, 29, 30, 32,\n34, 35, 36, 37, 38, 39, 40, 41, 42, 44.b., 45 (in two separate places), and\n46. The comments provided were analyzed and trends were identified for\neach question, as well as across all of the comments.\n\n\nSurvey Results\n\n      Described below are the results for each question of our survey, along\nwith an explanation of the various options offered to the administrators with\neach question. Throughout the survey questions, italicized text was used to\ngive instructions to the administrators on how to interpret our questions and\nproceed through the survey.\n\n\n\n\n                                    - 99 -\n\x0c                                                               APPENDIX VII\n\nDemographics\n\n1.   What CODIS level is your laboratory?\n\n     Ninety-five respondents were from LDIS laboratories and 49 were from\n     SDIS laboratories.\n\n\n2.   What is your current role in the laboratory?\n\n\n                             6%\n                     13%\n                8%                             Administrator (AD)\n                                               AD & Casework (CW)\n              8%                               AD & Offender (CO)\n                                               AD & CW / CO\n                                 65%\n                                               AD + Other\n\n\n\n\n3.   How long have you been the CODIS Administrator at your\n     laboratory (include past experience if you are not currently the\n     CODIS Administrator)?\n\n     The average time the respondents were CODIS administrators was 3\n     to 5 years.\n\n\n4.   What is the size of the DNA section in your laboratory (include\n     technicians, examiners, managers, etc., but not clerical support\n     or management that are not specific to the DNA section)?\n\n     The average size of respondents\xe2\x80\x99 DNA laboratory was 6 to 10\n     positions. This includes all staff specific to the DNA portion of their\n     laboratory.\n\n\n\n\n                                   - 100 -\n\x0c                                                           APPENDIX VII\n\n5.   Are you an FBI-trained quality assurance auditor?\n\n\n\n\n                           43%\n                                                          Yes\n                                            57%           No\n\n\n\n\nFBI CODIS Unit Responsiveness\n\n6.   For your communications with the CODIS Unit during the last 2\n     years, please estimate what percentage of those\n     communications were for the following purposes:\n\n       _% confirmation on whether a profile is allowable for NDIS\n       _% support to defend my decisions to investigators or\n          attorneys\n       _% annual certifications, filings, or paperwork\n       _% assistance in managing CODIS user information\n       _% QAS audit and corrective action submission or responses\n       _% guidance on hit counting or match resolution\n       _% clarification on NDIS Operating Procedures\n       _% submission of other routine required paperwork\n       _% Other [please specify]:\n\n     Percentages were highest for the purposes listed below.\n\n       \xe2\x80\xa2   QAS audits and corrective action,\n\n       \xe2\x80\xa2   information technology matters (mentioned under \xe2\x80\x9cOther\xe2\x80\x9d), and\n\n       \xe2\x80\xa2   annual certifications and paperwork.\n\n\n\n\n                                  - 101 -\n\x0c                                                           APPENDIX VII\n\n7.   How would you rate the timeliness of responses you have\n     received, in the last 2 years, from the CODIS Unit to questions\n     or concerns you have had on the following topics:\n\n\n\n\n     While 139 responses were received to this question, a significant\n     percentage marked \xe2\x80\x9cN/A\xe2\x80\x9d if the reason we offered did not apply to\n     their usual contact with the FBI. The higher the percentage of \xe2\x80\x9cN/A\xe2\x80\x9d\n     responses, the fewer the people who contacted the FBI on that topic.\n     The percentage of \xe2\x80\x9cN/A\xe2\x80\x9d responses can be seen in the \xe2\x80\x9cN/A\xe2\x80\x9d column\n     for each category.\n\n     The chart also shows the average responses for each topic given. The\n     rounded average responses ended up being in the latter two columns.\n\n\n\n\n                                 - 102 -\n\x0c                                                           APPENDIX VII\n\n8.   Please complete the following questions if you selected \xe2\x80\x9cOften,\n     no response received\xe2\x80\x9d or \xe2\x80\x9cOften, response delayed more than 2\n     weeks\xe2\x80\x9d to any of the options in the above question.\n\n     a.     How often did you feel that the untimely responses from\n            the CODIS Unit has limited your ability:\n\n                                  3%\n                                                     Very often\n                                         23%\n                                                     Often\n                     45%                             Sometimes\n                                                     Rarely\n\n                                       28%\n\n\n     b.     To what cause(s) do you attribute the untimely responses\n            from the CODIS Unit? [Check all that apply]\n\n\n\n\n                   13%                                       Lack of Understanding\n\n                         20%                                 Not a High Priority\n          Causes\n\n\n\n\n                               31%                           Understaffing\n\n                               31%                           Other\n\n                                               53%           Unsure\n\n\n              0%           20%           40%         60%\n\n                               Percentages\n\n\n\n\n                                     - 103 -\n\x0c                                                          APPENDIX VII\n\n9.   For those matters for which the CODIS Unit has been timely in\n     responding (responses received in less than 2 weeks), to what\n     degree did that response address your questions or concerns?\n\n\n\n\n     While 125 responses were received for this question, a significant\n     percentage marked \xe2\x80\x9cN/A\xe2\x80\x9d if the purpose did not apply to their usual\n     contact with the FBI. The higher the percentage of \xe2\x80\x9cN/A\xe2\x80\x9d the fewer\n     the people who contacted the FBI on that topic. The percentage of\n     \xe2\x80\x9cN/A\xe2\x80\x9d responses can be seen in the \xe2\x80\x9cN/A\xe2\x80\x9d column for each category\n     and the rounded average responses ended up being in the latter two\n     columns.\n\n\n\n\n                                 - 104 -\n\x0c                                                            APPENDIX VII\n\n10.   If you have raised concerns about CODIS or NDIS operations to\n      the CODIS Unit and those concerns remain unaddressed, to\n      what degree do you believe those concerns have the potential\n      to undermine the long-term success of CODIS (i.e., the ability\n      of CODIS to accomplish its mission)?\n\n            No potential, since the question or concern was a\n            one-time issue limited to my laboratory\n            Minimal potential, since the question or concern is\n            probably an isolated issue for laboratories similar in\n            size or level to mine\n            Moderate potential, since the question or concern is\n            probably a recurring issue for laboratories similar in\n            size or level to mine\n            Significant potential, since the question or concern is\n            a recurring issue for many laboratories in the CODIS\n            community\n\n      Fifty responses were received for question 10 and the average\n      response was between moderate and minimal potential.\n\n\n11.   What suggestions do you have for how the CODIS Unit can\n      improve its responsiveness to the CODIS community\xe2\x80\x99s\n      questions or concerns?\n\n      We received 39 comments. Trends in the comments were that the\n      CODIS Unit needs more staff, and the CODIS Unit should disseminate\n      more info to the CODIS community via the CODIS Website or Criminal\n      Justice Information System Wide Area Network (CJIS WAN).\n\n      In addition, disseminating more information to the CODIS community\n      via the CJIS WAN was also a comment trend identified when all 636\n      comments were analyzed. Specifically, our analysis showed 37\n      respondents made a total of 51 comments regarding posting\n      information through the CJIS WAN.\n\n      A related comment trend is that while the FBI\xe2\x80\x99s accessibility and\n      responsiveness has improved, more improvements are needed; our\n      analysis showed 20 respondents made a total of 28 comments\n      regarding the FBI\xe2\x80\x99s inaccessibility and its untimely responses.\n\n      Suggestions were made for the FBI to set standards on timeliness of\n      responses and to have a mechanism for making sure all responses are\n\n\n\n                                  - 105 -\n\x0c                                                              APPENDIX VII\n\n      addressed, similar to the type of standards or tracking that is done for\n      the CODIS contractor\'s help desk with information technology\n      questions. In situations where a response cannot be formulated in a\n      timely fashion, suggestions were made for at least a response\n      indicating something along the lines of "X person will respond by Y\n      time with the information you requested."\n\n\nAllowability of DNA Profiles\n\n12.   In your laboratory, who currently is ultimately responsible for\n      ensuring that casework profiles are uploaded in accordance\n      with NDIS requirements? [Having the final responsibility does not\n      preclude the possibility that the person responsible may consult with\n      another member of the laboratory to confirm their conclusion.]\n      If your answer to question 12 indicates you are partially or fully\n      responsible for designating which profiles are uploaded to NDIS, please\n      complete questions 13-15.\n\n\n                    5%                        Analyst\n                           12%\n             13%                              CODIS Administrator\n\n                                              Analyst & Reviewer\n\n\n            26%                41%            All\n\n                                              Analyst & CODIS\n                                              Administrator\n\n\n\n\n                                   - 106 -\n\x0c                                                            APPENDIX VII\n\n13.   How difficult is it to determine what categories of profiles can\n      be uploaded to NDIS? [In the options offered below \xe2\x80\x9canother\n      source\xe2\x80\x9d is any source other than the documents supplied by the FBI to\n      inform you on these topics, such as the CODIS Administrator\xe2\x80\x99s\n      Handbook, or the NDIS Operational Procedures. Examples of other\n      sources you might consult are the NDIS Custodian or another CODIS\n      Administrator.]\n\n            Very difficult (routinely requires clarification from\n            another source)\n            Difficult (occasionally requires clarification from\n            another source)\n            Routine (rarely requires clarification from another\n            source)\n            Easy (does not require clarification from another\n            source)\n\n      We received 130 responses to question 13 and the average response\n      was \xe2\x80\x9cRoutine.\xe2\x80\x9d\n\n\n14.   How confident are you personally that when you conclude that\n      a profile is permitted in NDIS, you are correct?\n\n            Completely confident.\n            Consistently confident. On rare occasion I\n            appreciate having additional confirmation from\n            another source on my decision.\n            Generally confident, but would occasionally\n            appreciate having confirmation from another\n            source.\n            Somewhat confident, and often solicit\n            confirmation from another source on my decision.\n            Minimally confident, and routinely solicit\n            confirmation from another source on my decision.\n\n      We received 130 responses to question 14 and the average response\n      was closest to the \xe2\x80\x9cconsistently confident\xe2\x80\x9d option.\n\n\n\n\n                                  - 107 -\n\x0c                                                            APPENDIX VII\n\n15.   Would you categorize the following samples as a \xe2\x80\x9cforensic\n      unknown\xe2\x80\x9d suitable for NDIS? [Please base your analysis only on\n      the information provided in the question, and assume the profiles have\n      >=10 loci.]\n\n      Each scenario offered the following options:\n\n                  Yes\n                  Yes, under the following conditions:\n                  No, for the following reason(s):\n\n      We used a grading scale that evaluated the quality of response we\n      received from respondents, with 1 = poor and 5 = exceptional.\n\n      a.   A profile developed from crime scene evidence that once\n           analyzed is revealed to match the suspected perpetrator?\n\n           We received 131 responses and the average grade was 3.4.\n\n      b.   A profile developed from crime scene evidence that does\n           not match any reference sample provided (suspect,\n           victim, or elimination)?\n\n           We received 132 responses and the average grade was 3.6.\n\n      c.   A profile developed from an item submitted by a law\n           enforcement agency for analysis (item source or crime\n           committed is unclear) that does not match any reference\n           sample provided?\n\n           We received 132 responses and the average grade was 4.3.\n\n      d.   A profile developed from crime scene evidence that is\n           confirmed to be a mixture of the victim and suspected\n           perpetrator (reference samples are available)?\n\n           We received 132 responses and the average answer was 4.1.\n\n      e.   A profile developed from crime scene evidence that is a\n           mixture of two contributors that could include the victim,\n           but reference samples are not available?\n\n           We received 133 responses and the average answer was 3.5.\n\n\n\n                                   - 108 -\n\x0c                                                                       APPENDIX VII\n\n      f.   A profile developed from crime scene evidence that is a\n           mixture of three contributors, including the victim, and\n           only the victim\xe2\x80\x99s reference sample is available?\n\n           We received 133 responses and the average grade was 3.7.\n\n\n16.   What (as in a law or policy document) or who (as in a position)\n      do you believe to be the final authority on what profiles your\n      laboratory uploads?\n\n      For question 16 most respondents gave multiple answers, even though\n      we asked for a single \xe2\x80\x9cfinal authority.\xe2\x80\x9d Consequently, the percentages\n      overlap and do not total 100 percent, which is why we did not put\n      percent labels on these charts, to preclude misinterpretation.\n      However, the dominant responses are clear. \xe2\x80\x9cN/A\xe2\x80\x9d responses are not\n      reflected but were few.\n\n\n              Question 16a: Who or what is the final authority on what\n                         profiles your lab uploads to LDIS?\n\n           National Representative\n\n           State Representative\n                                     What or Who\n\n\n\n\n           Local Representative\n\n           National Law or Policy\n\n           State Law or Policy\n\n           Local Law or Policy\n                                            0%     20%      40%        60%   80%\n                                                         Percentages\n\n\n      In the preceding chart it is clear that CODIS administrators see the\n      LDIS administrator as the primary authority over what goes into LDIS.\n\n\n\n\n                                        - 109 -\n\x0c                                                              APPENDIX VII\n\n          Question 16b: Who or what is the final authority on what\n                     profiles your lab uploads to SDIS?\n\n    National Representative\n\n    State Representative\n\n\n\n\n                                 What or Who\n    Local Representative\n\n    National Law or Policy\n\n    State Law or Policy\n\n    Local Law or Policy                  0%    20%      40%        60%   80%\n\n                                                     Percentages\n\n\nIn the preceding chart it is clear that CODIS administrators see the\nSDIS administrator as the primary authority over what goes into SDIS,\nalthough roughly one-third of the responses included an emphasis on\nthe state law or policy.\n\n\n        Question 16c: Who or what is the final authority on what profiles\n                         your lab uploads to NDIS?\n\n\n     National Representative\n\n     State Representative\n                               What or Who\n\n\n\n\n     Local Representative\n\n     National Law or Policy\n\n     State Law or Policy\n\n     Local Law or Policy\n                                       0%       20%           40%        60%\n\n                                                     Percentages\n\n\nIn the preceding chart we see NDIS is the only level where\nrespondents weighed the national law or policy almost as heavily as\nthey did the national representative.\n\n\n\n                               - 110 -\n\x0c                                                             APPENDIX VII\n\n17.   From your experience in the CODIS community, do you believe\n      that NDIS-participating laboratories have the same\n      understanding of what profiles are suitable for inclusion in\n      NDIS?\n            Yes, all laboratories have the same understanding\n            Yes, laboratories have the same understanding with\n            only rare exceptions\n            No, not all laboratories have the same understanding,\n            but community understanding is improving\n            If possible, please explain:\n            No, and community confusion is increasing\n            If possible, please explain:\n            Unsure or not applicable based upon limited\n            experience\n\n      The average response to question 17 was \xe2\x80\x9cNo, not all laboratories\n      have the same understanding, but community understanding is\n      improving.\xe2\x80\x9d\n\n      Administrators who said that the CODIS community does not have the\n      same understanding had the option of providing additional comments,\n      and 70 respondents did.\n\n      Most of the respondents focused their answers on their participation in\n      discussions at the National CODIS Conferences (NCC). Some took the\n      perspective that the discussions further confused people, while others\n      felt that the discussions helped by clarifying troublesome scenarios.\n\n\n18.   Do you believe there are NDIS-participating laboratories\n      (including your own) that knowingly upload profiles that they\n      believe to be \xe2\x80\x9cborderline\xe2\x80\x9d (i.e., probably unallowable) if they\n      believe it will further an investigation?\n            No\n            Yes, but they are the rare exception\n            Yes, and it could be occurring beyond a rare\n            exception\n            Unsure or not applicable based upon limited\n            experience\n\n      Twenty-three percent of respondents to question 18 said \xe2\x80\x9cUnsure or\n      not applicable\xe2\x80\x9d and the majority of the remaining responses were \xe2\x80\x9cYes,\n      but they are the rare exception.\xe2\x80\x9d\n\n\n\n                                   - 111 -\n\x0c                                                             APPENDIX VII\n\n19.   If a member of your DNA laboratory has a question regarding\n      whether a profile is allowable for upload to NDIS, who or what\n      would be their most likely source for clarification?\n            CODIS Administrator\xe2\x80\x99s Handbook or NDIS Operating\n            Procedures\n            CODIS Administrator in their laboratory\n            CODIS Administrator in another laboratory\n            NDIS Custodian\n            An examiner in their laboratory\n            Other:\n\n      Respondents gave multiple answers to question 19, and therefore we\n      were not able to calculate true percentages. Instead, we focused on\n      which sources of guidance were the top three named.\n      We received 143 responses, with three options selected the most by\n      respondents as all or part of their answer:\n\n        \xe2\x80\xa2   111 respondents cited \xe2\x80\x9cCODIS Administrator in their laboratory\xe2\x80\x9d;\n\n        \xe2\x80\xa2   27 respondents cited \xe2\x80\x9cCODIS Administrator Handbook\xe2\x80\x9d; and\n\n        \xe2\x80\xa2   27 respondents cited \xe2\x80\x9cCODIS Administrator in another laboratory.\xe2\x80\x9d\n\n\n20.   What do you believe the CODIS Unit can do to improve\n      community understanding of what profiles are permitted at\n      NDIS? [Check all that apply]\n\n            Conduct specific training\n            Increase discussion at the annual CODIS Conference\n            Disseminate better information and guidance\n            Please describe:\n            Other:\n\n      Since this question permitted multiple responses, the chart below is\n      only intended to convey the magnitude of response.\n\n      The three primary options we offered were selected pretty evenly, as\n      ways that would help community understanding.\n\n\n\n\n                                   - 112 -\n\x0c                                                                               APPENDIX VII\n\n\n                                       Improving Community Understanding of\n                                         What Profiles are Permitted in NDIS\n\n\n\n                               Other\n        Improvement Methods\n\n\n\n\n                               Disseminate better information & guidance\n\n\n\n                               Increase discussion at National CODIS Meetings\n\n\n\n                               Conduct specific training\n\n\n                              0%       10%     20%         30%    40%      50%     60%\n\n                                                     Percentage\n\n\n\nLaboratory Quality\n\n21.   Please rank your laboratory\xe2\x80\x99s quality of operations as one of\n      the following:\n      1 = Poor, since there are still fundamental quality controls we\n      fail to consistently apply OR we have one or more staff\n      members that are not fully committed to QAS compliance.\n\n      2 = Fair, since we routinely apply most quality controls in our\n      operations, but still need occasional improvement. All staff are\n      committed to QAS compliance, but occasionally are not\n      properly informed about the standards.\n\n      3 = Good, since we consistently apply all appropriate quality\n      controls in our operations. All staff are fully committed to QAS\n      compliance and are proficient in what those standards are.\n\n\n\n\n                                                   - 113 -\n\x0c                                                         APPENDIX VII\n\n      4 = Excellent, since we apply all appropriate quality controls,\n      and actively pursue enhancing those controls. All staff are\n      committed to QAS compliance, are proficient in what those\n      standards are, and are committed to surpassing those\n      standards whenever warranted to ensure excellence.\n\n      We received 143 responses to question 21 and the average answer\n      was 3.6.\n\n\n22.   How would you rank your laboratory\xe2\x80\x99s quality of operations in\n      relation to other laboratories?\n\n      1 = Below average (the majority of laboratories surpass our\n          laboratory)\n\n      2 = Average (our laboratory is comparable to the majority of\n          laboratories)\n\n      3 = Above average (our laboratory surpasses the majority of\n          laboratories)\n\n      4 = Outstanding (our laboratory is a leader in quality in the\n          DNA community)\n\n      5 = Unsure or not applicable based upon limited experience\n\n      We received 142 responses to question 22 and the average answer\n      was 3.2.\n\n\n\n\n                                 - 114 -\n\x0c                                                                 APPENDIX VII\n\n23.   Do you know of any NDIS-participating laboratory (including\n      your own) that is currently operating with what you would\n      consider to be a material weakness in its quality of operations?\n\n                             8%\n\n\n                                                           No\n                                                           Yes\n\n                                  92%\n\n\n\n      For question 23 we received 140 responses and the respondents who\n      said \xe2\x80\x9cyes\xe2\x80\x9d had the opportunity to provide additional comments and 10\n      did. Comments included statements regarding weaknesses related to\n      the following areas:\n\n          \xe2\x80\xa2   the inherent limitations of one-person DNA laboratories;\n\n          \xe2\x80\xa2   uploading profiles that have not been fully reviewed, or on behalf\n              of other laboratories where quality has not been confirmed;\n\n          \xe2\x80\xa2   uninvolved off-site technical leaders; and\n\n          \xe2\x80\xa2   first-hand knowledge of laboratories (public and private) that\n              emphasize productivity at the expense of quality.\n\n\nGeneral CODIS Operations\n\n24.   What three issues pose the greatest challenge to the mission of\n      CODIS in the next five years?\n\n      We received 126 responses to question 24 and the top challenges are\n      listed below.\n\n      \xe2\x80\xa2   19 percent \xe2\x80\x93 Expansion and Change,\n\n      \xe2\x80\xa2   18 percent \xe2\x80\x93 Resources,\n\n      \xe2\x80\xa2   12 percent \xe2\x80\x93 Profile Integrity or System Operations, and\n\n\n                                      - 115 -\n\x0c                                                             APPENDIX VII\n\n      \xe2\x80\xa2   11 percent \xe2\x80\x93 Data Management or System Administration.\n\n\n25.   What three aspects of CODIS do you believe have been its most\n      important successes?\n\n      We received 122 responses to question 25 and the most important\n      successes are listed below.\n\n      \xe2\x80\xa2   34 percent \xe2\x80\x93 Crime Solving and Prevention,\n\n      \xe2\x80\xa2   25 percent \xe2\x80\x93 System Benefits, and\n\n      \xe2\x80\xa2   12 percent \xe2\x80\x93 Community Assistance or Communication Connections.\n\n\n26.   How would you rate the FBI CODIS contractor\xe2\x80\x99s overall\n      performance? The numeric rating scale used is below.\n\n      1 = Unacceptable        4 = Good\n\n      2 = Poor                5 = Excellent\n\n      3 = Fair\n\n      The average answer was 4.5.\n\n\n27.   Do you believe the CODIS software has addressed the needs of\n      the CODIS community?\n\n\n                           8%\n\n\n                                                       Yes\n                                                       No\n                                92%\n\n\n\n\n                                   - 116 -\n\x0c                                                               APPENDIX VII\n\n28.   How would you characterize the FBI\xe2\x80\x99s current management of\n      CODIS? The numeric rating scale used is below.\n\n      1 = Unacceptable        4 = Good\n\n      2 = Poor                5 = Excellent\n\n      3 = Fair\n\n      The average answer was 4 and, of the 143 responses we received to\n      this question, 24 gave additional comments.\n\n\n29.   To what extent has the FBI\xe2\x80\x99s management of CODIS improved\n      over the last 2 years?\n\n      The following numeric rating scale was used:\n\n      1 = No improvement observed 4 = Substantially\n\n      2 = Minimally                        5 = Extensively\n\n      3 = Moderately\n\n      N/A = Unsure or not applicable based upon limited experience\n\n      Of the 143 responses received, 21 provided additional comments and\n      27 percent said \xe2\x80\x9cN/A.\xe2\x80\x9d The average answer was 3.1.\n\n      Trends in this section of the survey are listed below.\n\n         \xe2\x80\xa2   SAIC does an excellent job.\n\n         \xe2\x80\xa2   The software has become more user-friendly.\n\n         \xe2\x80\xa2   CODIS Unit communication and accessibility have improved. The\n             NCC, the CODIS website, and NDIS procedure updates have\n             helped but further improvements could be made.\n\n\n\n\n                                    - 117 -\n\x0c                                                             APPENDIX VII\n\nNDIS Audit Review Panel\n\n30.   Do you believe the NDIS Audit Review Panel has improved\n      community compliance with the QAS? [Check all that apply]\n\n\n\n\n                                                       13%\n                       34%           48%\n                                                       9%\n                                   Total\n                                   Yes\'s               26%\n\n                         13%\n\n\n\n                    Yes: Ensures consistency\n                    Yes: Ensures corrective action\n                    Yes: Ensures both of these\n                    No: Still enforcing individual interpretations\n                    Unsure\n\n\n      Note that this chart does not include a small number of \xe2\x80\x9cother\xe2\x80\x9d\n      designations that were received, accompanied by supplemental\n      comments. The comments further emphasized that individual\n      interpretations of standards still exist.\n\n\n31.   For your most recently completed audit panel review, when\n      was the audit and accompanying corrective action\n      documentation submitted to the FBI?\n\n      We received 137 responses:\n\n        \xe2\x80\xa2   18 percent selected the year \xe2\x80\x9c2003,\xe2\x80\x9d\n\n        \xe2\x80\xa2   39 percent selected the year \xe2\x80\x9c2004,\xe2\x80\x9d\n\n        \xe2\x80\xa2   9 percent selected the year \xe2\x80\x9c2005\xe2\x80\x9d; and\n\n\n\n                                   - 118 -\n\x0c                                                               APPENDIX VII\n\n        \xe2\x80\xa2      34 percent selected \xe2\x80\x9cNot applicable,\xe2\x80\x9d which was offered as an\n               option to those respondents who did not know or were not\n               involved in this process. These respondents were then asked to\n               skip to question 36.\n\n\n32.   In your most recently completed audit panel review, please\n      estimate how long it took from the time that your audit and\n      corrective action documentation were originally submitted until\n      you received notification that the audit was closed?\n\n\n\n                    > 1 year\n\n               7 mo. to 1 year\n        Time\n\n\n\n\n                4 to 6 months\n\n                0 to 3 months\n\n                             0%        10%         20%        30%        40%\n\n                                                Percentage\n\n      When we asked about the total time it took for the processing of their\n      last completed external QAS audit, we observed that there was slightly\n      less than one-third who said it took longer than 6 months, roughly\n      one-third who said it took from 4 to 6 months and slightly more than\n      one-third who said it took 0 to 3 months. This does not include the\n      less than one percent of \xe2\x80\x9cN/A.\xe2\x80\x9d\n\n\n\n\n                                      - 119 -\n\x0c                                                              APPENDIX VII\n\n33.   In this same completed audit panel review, were you asked to\n      supply additional corrective action documentation after you\n      made your original submission?\n\n\n\n\n                                    31%\n                                                      Yes\n                                                      No\n                          69%\n\n\n\n\n      This information sheds some light on potential causes of delay in\n      closing out audits, since nearly one-third of the respondents indicated\n      that the Audit Review Panel had followed-up to get more corrective\n      action documentation after the original submission by their\n      laboratories.\n\n\n34.   For this same completed audit panel review, please estimate\n      how much time elapsed after you supplied all additionally\n      requested corrective action documentation until you received\n      notification that the audit was closed?\n\n\n\n                 4 to 6\n                                        41%\n                months\n         Time\n\n\n\n\n                0 to 3\n                                                    59%\n                months\n\n                          0%     20%          40%          60%       80%\n                                         Percentages\n\n      This question was conditional upon the response to the preceding\n      question, therefore non-valid responses were disregarded.\n\n\n\n\n                                   - 120 -\n\x0c                                                             APPENDIX VII\n\n35.   How would you characterize your perception of any\n      improvements made in the last 2 years in the NDIS Audit\n      Review Panel\xe2\x80\x99s timeliness of review?\n\n      The numeric rating system used is below.\n\n      1 = Timeliness does not seem to be improving.\n\n      2 = Timeliness is improving slowly.\n\n      3 = Timeliness is actively improving.\n\n      4 = Necessary improvements have already been made.\n\n      We received 83 responses and the average was 2.7, closest to the\n      \xe2\x80\x9cactively improving\xe2\x80\x9d designation. Respondents also had the option of\n      selecting \xe2\x80\x9cother\xe2\x80\x9d and providing a comment. Eleven of the 81\n      respondents provided comments and the trend showed that\n      respondents had no basis to form an opinion as to whether the NDIS\n      Audit Review Panel improved the timeliness of their reviews.\n\n\nFBI Guidance to the CODIS Community\n\n36.   Does the FBI provide sufficient guidance on complying with the\n      QAS, to ensure CODIS participants understand and comply with\n      those standards?\n\n\n\n\n                          26%\n                                                       Yes\n                                                       No\n                                     73%\n\n\n\n\n      Note this does not reflect the less than 1 percent of respondents who\n      said \xe2\x80\x9cN/A.\xe2\x80\x9d The respondents who said \xe2\x80\x9cno\xe2\x80\x9d had the option of providing\n      additional comments, and 31 did. The trend in the comments was\n\n\n\n\n                                  - 121 -\n\x0c                                                              APPENDIX VII\n\n      interpretation of standards varies between auditors and the CODIS\n      community as a whole.\n\n\n37.   Does the FBI provide sufficient guidance on complying with the\n      NDIS requirements, to ensure NDIS participants understand\n      and comply with those requirements?\n\n\n\n\n                           19%\n                                                        Yes\n                                                        No\n\n                                     81%\n\n\n\n      Note this does not reflect the less than 1 percent of respondents who\n      said \xe2\x80\x9cN/A.\xe2\x80\x9d The respondents who selected \xe2\x80\x9cno\xe2\x80\x9d had the option of\n      providing comments, and 20 did. The trends identified in the\n      comments were interpretation of standards varies between auditors\n      and the CODIS community as a whole and the CODIS Unit does not\n      respond to questions in a timely manor.\n\n\n\n\n                                   - 122 -\n\x0c                                                            APPENDIX VII\n\n38.   Do you believe that the FBI\xe2\x80\x99s audit document enables an\n      external QAS auditor to identify all of a laboratory\xe2\x80\x99s quality\n      assurance weaknesses?\n\n\n                          16%\n\n                                                      Yes\n                                       58%            No\n                      26%                             N/A\n\n\n\n\n      We received a total of 140 responses to question 38. The respondents\n      who selected \xe2\x80\x9cno\xe2\x80\x9d had the option of providing additional comments,\n      and 33 did. The trends identified in the comments were interpretation\n      of standards varies between auditors and the CODIS community as a\n      whole and the standards and the audit document need to be updated.\n\n\n39.   Do you believe the FBI has provided adequate training on the\n      proper use of the QAS audit document to ensure that\n      community QAS auditors are consistent and thorough in their\n      assessment of compliance with the QAS?\n\n\n\n                           17%\n                                                      Yes\n                                      48%\n                                                      No\n                          35%                         N/A\n\n\n\n      We received a total of 140 responses to question 39. The respondents\n      who selected \xe2\x80\x9cno\xe2\x80\x9d had the option of providing additional comments,\n      and 48 did. The trends identified in the comments were interpretation\n\n\n\n\n                                  - 123 -\n\x0c                                                              APPENDIX VII\n\n      of standards varies between auditors and the CODIS community as a\n      whole.\n\n\n40.   To be effective, do you believe external QAS auditors should be\n      qualified in the method or platform they are auditing?\n\n                                  3%\n\n                            21%\n                                                      Yes\n                                                      No\n                                       76%\n                                                      N/A\n\n\n\n\n      We received 143 responses to question 40. The respondents who said\n      \xe2\x80\x9cno\xe2\x80\x9d were given the opportunity to provide comments, and 29 did.\n\n\n41.   To be effective, do you believe external QAS auditors should be\n      qualified in the specific application (casework or offender) they\n      are auditing?\n\n                                  3%\n\n                          19%                           Yes\n                                                        No\n                                                        N/A\n                                       78%\n\n\n\n\n      We received 143 responses to question 41. The respondents who said\n      \xe2\x80\x9cno\xe2\x80\x9d were given the opportunity to provide comments, and 26 did.\n\n      The responses received about auditor qualifications to both question\n      40 and 41 were put into context with the comments that were\n      provided. A few examples are below:\n\n\n\n                                   - 124 -\n\x0c                                                                 APPENDIX VII\n\n      \xe2\x80\xa2   Technology, platforms, and methods are similar enough where an\n          auditor who is proficient or qualified in one will know enough to audit\n          them all.\n\n      \xe2\x80\xa2   A casework-qualified auditor can audit an offender laboratory but not\n          vice versa.\n\n      \xe2\x80\xa2   The auditors should be qualified or previously qualified, or at least\n          one person from the audit team should be qualified.\n\n\n42.   Do you have any suggestions for how the DNA community\xe2\x80\x99s\n      auditing structure (i.e., the way audits are conducted,\n      processed, and reviewed) can be improved, to better aid\n      national CODIS laboratory quality?\n\n      The trends from comments we identified in question 42 are below:\n\n      \xe2\x80\xa2   Interpretation of standards should be made more consistent.\n\n      \xe2\x80\xa2   Actual QAS should be revised and clarified.\n\n      \xe2\x80\xa2   Use the CODIS website to disseminate auditing information to CODIS\n          the community.\n\n\n43.   What level of consistency do you believe has existed in\n      guidance to the CODIS community regarding compliance with\n      NDIS requirements under the current CODIS Unit\n      management? [Do not count as inconsistencies the changes resulting\n      from expansions in the law to what is permitted in NDIS.]\n\n      The numeric rating scale used for question 43 is below.\n\n      1 = Inconsistent. The messages conveyed at meetings or\n      conferences do not match what is contained in written\n      guidance or what is conveyed in individual responses.\n\n      2 = Somewhat consistent. The messages conveyed at meetings\n      or conferences periodically match what is contained in written\n      guidance or what is conveyed in individual responses.\n\n\n\n\n                                      - 125 -\n\x0c                                                              APPENDIX VII\n\n      3 = Consistent. The messages conveyed at meetings or\n      conferences match what is contained in written guidance or\n      what is conveyed in individual responses, with rare exception.\n\n      4 = Very consistent. The messages conveyed at meetings or\n      conferences always match what is contained in written\n      guidance and what is conveyed in individual responses.\n\n      N/A = Unsure or not applicable based upon limited experience\n      [skip to question 45]\n\n      The average rating to this question was 2.8, which is closest to the\n      \xe2\x80\x9cconsistent\xe2\x80\x9d designation. In addition, 12 percent of the respondents\n      said \xe2\x80\x9cN/A."\n\n\n44.   If you designated a rating for question 43 as less than\n      consistent:\n\n      a.   How often did you feel that the inconsistency of guidance\n           has limited your ability to perform your CODIS\n           administrator duties or to comply with the NDIS\n           Requirements?\n\n\n                               2%\n\n                                    15%\n\n                   39%                               Very often\n                                                     Often\n                                                     Sometimes\n                                    44%              Rarely\n\n\n\n\n                                  - 126 -\n\x0c                                                          APPENDIX VII\n\nb.             To what cause(s) do you attribute the inconsistency of\n               guidance? [Check all that apply]\n\n\n                                                 Perceptions shifting\n               70%                               over time\n               60%                               Inconsistencies between\n Percentages\n\n\n\n               50%                               written sources\n               40%                               Personnel changes\n               30%\n               20%                               Inconsistencies between\n               10%                               groups / organizations\n                0%                               Misunderstood or\n                           Causes                misapplied guidance\n                                                 Other\n\n\n\nThe categories in the preceding graphic were offered as responses and\nsince multiple responses were permitted to this question we could not\ncalculate true percentages. This graphic is intended only as a way to\nconvey the magnitude of the responses given, by the 30 people who\nresponded to this question.\n\n\n\n\n                                    - 127 -\n\x0c                                                                     APPENDIX VII\n\n45.   What do you believe would improve the consistency of\n      understanding within the CODIS community regarding\n      compliance with NDIS requirements?\n\n                                                             Publish guidance\n                        70%\n                                                             given to individual\n                        60%                                  labs\n                                                             Increase training\n          Percentages\n\n\n\n\n                        50%\n                        40%                                  opportunities\n                        30%                                  Increase discussion\n                        20%                                  at the NCC\n                        10%\n                                                             Other\n                        0%\n                                 Methods\n\n      Multiple responses were permitted for question 45, and the options\n      displayed above were the ones we offered as responses. In addition\n      there were a total of 47 respondents who provided additional\n      comments. The trends identified in these comments are listed below:\n\n      \xe2\x80\xa2        The QAS and the related audit document need to be updated.\n\n      \xe2\x80\xa2        Post frequently asked questions and answers on QAS and NDIS\n               requirements.\n\n\n46.   Do you have any other comments, suggestions, or concerns\n      that you can offer regarding FBI administration of CODIS,\n      CODIS operations in your laboratory or in the CODIS\n      community as a whole, or factors that have the potential to\n      adversely impact CODIS operations in the future?\n\n      We received a total of 40 comments to question 46 and the trends we\n      identified are listed below:\n\n      \xe2\x80\xa2        There are inconsistencies in the way standards are interpreted\n               throughout the CODIS community.\n\n      \xe2\x80\xa2        The CODIS community needs more resources.\n\n\n\n\n                                         - 128 -\n\x0c                                                    APPENDIX VII\n\nInconsistencies in interpretation in the standards throughout the\nCODIS community was also one of our comment trends; specifically\nwe received 161 comments from 83 respondents on the subject.\n\nThe second comment trend in question 46 regards resources that\ninclude personnel, better technology, and tools, such as expert\nsystems. In addition, comments were made that indicated that the\nlack of resources force laboratories to make difficult decisions\nregarding resource allocation, and thus place pressure on quantity\nversus quality, which may not be best for the CODIS community as a\nwhole.\n\n\n\n\n                           - 129 -\n\x0c          APPENDIX VIII\n\n\n\n\n- 130 -\n\x0c          APPENDIX VIII\n\n\n\n\n- 131 -\n\x0c                                                            APPENDIX VIII\n\n     THE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S (FBI)\n                   RESPONSE TO THE\n           OIG\xe2\x80\x99S DRAFT AUDIT REPORT OF THE\n     COMBINED DNA INDEX SYSTEM OPERATIONAL AND\n            LABORATORY VULNERABILITIES\n\nRecommendation #1. Develop and implement a plan to ensure that all\n                  CODIS Administrators attend the FBI QAS auditor\n                  training.\n\nFBI Response: The FBI agrees that it would be beneficial for all CODIS\nAdministrators to receive the FBI Quality Assurance Standards (QAS) audit\ntraining. The CODIS Unit is planning a special auditor training class(es) on\nthe Quality Assurance Standards (QAS) in the fall of 2006 for State and\nLocal CODIS Administrators that have not had auditor training since issuance\nof the revised FBI Audit Document in July, 2004. All State and Local CODIS\nAdministrators that have not had the auditor training will be expected to\nattend this training. It will consist of two days of training on the Audit\nDocument and \xc2\xbd day on the DNA Data Accepted at NDIS scenarios.\nFollowing this special auditor course, if there is a new CODIS Administrator,\nhe or she will be required to attend the auditor training on the QAS before\nassuming his/her full Administrator duties. This requirement will be\nincorporated into revisions to the Memorandum of Understanding for\nParticipation in the National DNA Index System (NDIS MOU).\n\nRecommendation #2. Improve information sharing through enhancements\n                  to the CODIS website, considering the suggestions\n                  made by the community and implementing them\n                  wherever practicable.\n\nFBI Response: The FBI agrees that the CODIS website should be used to\ntransmit information of interest and importance to the CODIS community.\nAs a result of inquiries that come into the CODIS unit, we are aware that the\nCODIS website may not be routinely consulted by the CODIS users so the\nCODIS Unit will solicit suggestions for improving the utility of this website\nfrom the State CODIS Administrators during their June 2006 meeting in\nDallas, Texas. These suggestions will be reviewed by the Scientific Working\nGroup on DNA Analysis Methods (SWGDAM) CODIS Committee and to the\nextent practicable, implemented and shared with the CODIS community\nduring the Annual CODIS Conference in November 2006.\n\n\n\n\n                                   - 132 -\n\x0c                                                             APPENDIX VIII\n\nRecommendation #3. Distill profile allowability guidance, including\n                  scenarios that are discussed at national meetings,\n                  into a decision-tree or other written user-friendly\n                  guidance and disseminate that information to all\n                  CODIS users.\n\nFBI Response: The FBI agrees to disseminate additional allowability\nguidance to CODIS users. The CODIS Unit has included on the CODIS\nwebsite, the presentations of the scenarios discussed at the Annual CODIS\nConference for the past several years. Those scenario presentations are\nmade available on the website following the Conference. With respect to\nthat portion of the recommendation relating to incorporating the rules for\nprofile eligibility into a decision-tree, the CODIS Unit and the SWGDAM\nCODIS Committee (in preparation for the 2004 Annual CODIS Conference)\nhave each attempted to distill the eligibility determination into a decision\ntree but these efforts have not been successful. It cannot be\noveremphasized that each of these factual situations or scenarios is, in fact,\nunique, and the change of one detail can potentially change the\ndetermination of whether the profile is eligible for uploading to NDIS.\nAccordingly, at this time, we do not believe that the eligibility question can\nbe accurately reduced into a user friendly decision tree.\n\nThe CODIS Unit will include all the scenarios discussed at the Annual CODIS\nConference in the CODIS Administrators Handbook and on the CODIS web\nsite (with a direct link to the scenarios). Additionally, the CODIS Unit will\ninclude on the CODIS web site, to the extent appropriate, scenarios\nsubmitted by members of the CODIS community and the response of the\nNDIS Custodian.\n\nRecommendation #4. Formally request that the Scientific Working Group\n                  on DNA Analysis Methods consider, as part of its\n                  maintenance of the QAS, the operation material\n                  weaknesses identified by the CODIS Administrators,\n                  including: (1) the inherent limitations of one-person\n                  DNA laboratories; (2) uninvolved off-site technical\n                  leaders, and (3) laboratories that upload profiles that\n                  have not been fully reviewed.\n\nFBI Response: The FBI agrees that the issues identified by the CODIS\nAdministrators that impact the quality operations of a forensic DNA\nlaboratory should be shared with SWGDAM - the body charged with the\nresponsibility of recommending revisions to the FBI Director for the Quality\nAssurance Standards (QAS). The weaknesses identified by the CODIS\nAdministrators in the survey distributed by the OIG will be forwarded (once\n\n\n\n                                    - 133 -\n\x0c                                                           APPENDIX VIII\n\nthe OIG CODIS Audit Report has been finalized) to the SWGDAM Chairman\nfor their consideration during SWGDAM\xe2\x80\x99s review of the FBI Director\xe2\x80\x99s QAS.\nPlease see enclosed draft correspondence to the SWGDAM Chairman;\nEnclosure #1-A.\n\nRecommendation #5. Ensure that guidance on submission of information\n                  to the NDIS Audit Review Panel is sent to those\n                  members of CODIS labs that are responsible for this\n                  activity.\n\nFBI Response: The FBI agrees that it is important that the relevant\npersonnel in the CODIS laboratories have sufficient information to enable\nthem to submit appropriate and complete audit documentation. The Chief of\nthe CODIS Unit has already requested that CODIS Administrators provide\nhim with the contact information for the person in their laboratory\nresponsible for the QAS audits. The CODIS Unit will be mailing a copy of the\nNDIS Procedure on \xe2\x80\x9cReview of External Audits\xe2\x80\x9d as well as a list of the\nspecific information considered audit documentation to the designated\ncontact persons for their information and review. This information will also\nbe included in the Annual CODIS Conference materials. Additionally, the\nCODIS Unit, in conjunction with the Chair of the NDIS Audit Review Panel,\nwill present this information verbally at the Annual CODIS Conference in\nNovember, 2006 (and annually thereafter) and will request permission from\nthe SWGDAM Chairman to present this information at the semiannual\nSWGDAM meeting in July, 2006 and the public SWGDAM meeting held in\nconjunction with the Annual Promega Symposium.\n\nRecommendation #6. Develop and utilize a mechanism for tracking\n                  information requests that are received by the CODIS\n                  Unit to ensure a timely response.\n\nFBI Response: The FBI agrees that it is important to track requests for\ninformation to ensure that they receive an appropriate response. Tracking\nsystems are already in place within the CODIS Unit for the external audit\nreview process as well as the OIG audits of NDIS participating laboratories.\nThe CODIS Unit will post a written request form on the CODIS web site to\nfacilitate inquiries by CODIS users. The written requests submitted to the\nCODIS Unit that require a response will be logged in and tracked in a\nRequest Log; please see a draft copy of the log - Enclosure #1-B. For those\nrequests requiring a response and that do not contain a due date, a due date\nfor two weeks from the date of receipt will automatically be assigned. This\nRequest Log will be printed out on a weekly basis and provided to the CODIS\nUnit Chief for review.\n\n\n\n\n                                  - 134 -\n\x0c                                                              APPENDIX VIII\n\nRecommendation #7. Develop communication policies that will allow the\n                  CODIS Unit to provide written guidance to members\n                  of the DNA community to the fullest extent possible.\n\nFBI Response: As appropriate, the FBI will provide written guidance,\nthrough CODIS Technical Bulletins, the CODIS website, or both, on issues of\ninterest and importance to the CODIS community. Additionally, at the time\nof issuance, all CODIS Technical Bulletins are faxed to each NDIS\nParticipating Laboratory.\n\nRecommendation #8. Develop a staffing plan that identifies current\n                  hindrances to filling vacant positions in the CODIS\n                  Unit, potential solutions to those hindrances, and a\n                  time line of requirements for action to fill those\n                  positions.\n\nFBI Response: The FBI is committed to filling those vacancies that\ncurrently exist in the CODIS Unit and will be exploring other avenues for\nadvertising those positions. The NDIS Custodian (Program Manager) and\nCODIS Auditor positions require that the persons have some familiarity with\nthe National DNA Index System and the FBI Director\xe2\x80\x99s Quality Assurance\nStandards. Accordingly, the CODIS Unit Chief has mentioned the available\npositions at meetings of the CODIS State Administrators, CODIS user\ncommunity and SWGDAM members in an effort to \xe2\x80\x98get the word\xe2\x80\x99 on these\npositions. Additionally, the CODIS Unit Chief has encouraged qualified\npersons to apply. To date, an insufficient number of qualified persons have\napplied for these remaining positions so additional advertising forums will be\nexplored with the FBI\xe2\x80\x99s Personnel Unit. For example, advertisements for the\navailable positions could be placed at forensic-related web sites (American\nAcademy of Forensic Sciences, American Society of Crime Laboratory\nDirectors, etc...). Additionally, FBI hiring is handled by the Administrative\nServices Division and therefore the process and timeline are outside of the\ncontrol of the CODIS Unit and the Laboratory Division.\n\nRecommendation #9.Develop written descriptions of routine activities and\n                  responsibilities for current staff in the CODIS Unit,\n                  particularly those with multiple roles, and\n                  incorporate this information in a procedure manual\n                  for each position.\n\nFBI Response: The FBI agrees that more detailed information on the\nroutine activities and responsibilities of the current CODIS Unit staff would\nbe helpful in the training process for new staff to the Unit. To ensure that\nthe current staff is not overburdened, the CODIS Unit will consult with the\n\n\n\n                                    - 135 -\n\x0c                                                              APPENDIX VIII\n\nPersonnel Unit to determine if this additional task may be added to their\nperformance review objectives for the following year. This should facilitate\nthe collection of this information while ensuring that this additional task is\nappropriately incorporated into the staff\xe2\x80\x99s responsibilities.\n\nRecommendation #10. Incorporate the three activities we identified that\n                 are performed on behalf of the CODIS Unit by other\n                 FBI personnel - auditing of NDIS data, providing of\n                 training on QAS compliance, and overseeing the\n                 activities of the Review Panel - into the CODIS Unit\xe2\x80\x99s\n                 objectives and measurements to fully reflect the\n                 CODIS Unit\xe2\x80\x99s efforts to address its mission.\n\nFBI Response: The FBI is supportive of including additional measurements\nto demonstrate how the CODIS Unit fulfills its mission and statutory\nresponsibilities. Because the CODIS Unit has not previously been tracking\nthe three areas noted above - auditing of NDIS data, providing of training on\nQAS compliance, and overseeing the activities of the NDIS Audit Review\nPanel - the CODIS Unit plans to begin to track these additional areas in\nFederal Fiscal Year 2007.\n\nRecommendation #11. Ensure the development contract process is\n                 completed as planned and that the development\n                 contract awarded allows for continued\n                 responsiveness to legislated changes to CODIS\n                 operations.\n\nFBI Response: In light of the OIG\xe2\x80\x99s statements that the \xe2\x80\x9cFBI has taken\nmeasures to provide for the operations, maintenance, and security of the\nCODIS system for the near future...\xe2\x80\x9d and that \xe2\x80\x9cthe independent assessment\ndetermined the Justice for All Act could be implemented and operate over\nthe next 3 to 5 years without exceeding capacity of the current CODIS\narchitecture\xe2\x80\x9d, it appears that this Recommendation may be unnecessary.\nThe CODIS Unit, with the assistance of the NDIS Procedures Board, has\naddressed changes in Federal law, first through the Justice For All Act of\n2004 and this year with the DNA Fingerprint Act of 2005 and these changes\nto procedures and the operation of the National DNA Index System have\nbeen implemented as soon as practicable (please refer to OIG report at\npages 4 and 5). The CODIS Unit will continue to follow its schedule for the\ndevelopment contract. In the event of future legislative changes to the\nFederal law affecting the operation of the National DNA Index System, such\nchanges will continue to be addressed and implemented as soon as\npracticable.\n\n\n\n\n                                    - 136 -\n\x0c                                                             APPENDIX VIII\n\nRecommendation #12. Ensure that the internal controls over the\n                 compliance of NDIS data are strengthened beyond\n                 the current reliance on self-certification annual\n                 reminder forms.\n\nFBI Response: The FBI does not agree that the self-certification forms and\nother mechanisms currently in place are insufficient internal controls for the\nensuring the appropriateness of DNA data uploaded to NDIS. The annual\nreminder forms on DNA Data Accepted at NDIS must be reviewed and\nsigned by each CODIS user. CODIS users in State and Local laboratories\nsubmit these forms to their CODIS Administrator who is required to maintain\nthese on file for inspection, if requested by the FBI.\n\nAdditionally, the CODIS Unit includes a presentation on the DNA Data\nAcceptable at NDIS at each Annual CODIS Conference. Beginning in\nFebruary, 2006, the NDIS Custodian now provides 2 to 3 hours of instruction\nand discussion on the DNA Data Acceptable at NDIS during each CODIS\ntraining class.\n\nThe FBI disagrees with the OIG\xe2\x80\x99s generalization that the annual certification\nforms have not been successful in ensuring compliance with profile\nallowability restrictions based on its review of OIG audits conducted during\n2004 and 2005. We would suggest that the 2004 and 2005 audit data be\ncontrasted with the OIG recommendations from their 2001 audit of the\nCODIS Program. For example, the 2001 CODIS audit found 40 instances of\ninappropriate DNA profiles uploaded to NDIS by 5 out of 8 labs. While the\nOIG reports 13 incidences of inappropriate profiles uploaded to NDIS, a\nreview of the data found in Figure 13 indicates that only 8 of those\nincidences related to specimen eligibility issues while the remaining 5\nfindings relate to accuracy and review issues. A comparison of these\nnumbers from 2001 (before the annual reminder forms were implemented)\nand the 2004/2005 audits does demonstrate fewer instances of findings\nrelating to specimen eligibility at NDIS.\n\nRecommendation #13. Implement a formal mechanism for tracking\n                 findings in audits reviewed by an NDIS Audit Review\n                 Panel so that common findings and inconsistencies in\n                 interpretation can be identified.\n\nFBI Response: The FBI agrees that information concerning standards\nfrequently cited in audits and differences in interpretation provide valuable\ninformation that can be shared with the CODIS community and auditors to\nensure consistent interpretation and application of the FBI Director\xe2\x80\x99s Quality\nAssurance Standards (QAS). The CODIS Unit, and more recently the current\n\n\n\n                                   - 137 -\n\x0c                                                             APPENDIX VIII\n\nand previous Chairs of the NDIS Audit Review Panels, have been informally\ntracking this information since 2003 when presentations were made at the\npublic SWGDAM meeting held at Promega (September 2003) and the Annual\nCODIS Conference (November 2003) which included a review of the external\naudit review process, observations of common pitfalls in submitting the\naudits and Standards that generated the most findings.\n\nBeginning in 2006, the FBI has been tracking general information relating to\nthose Standards that generate the most findings. The FBI will now track\nfindings that are subsequently overturned. This information will be used in\nAuditor Training Classes and will be shared with the CODIS community. The\nFBI will not be tracking information that would identify a specific laboratory\nin order to maintain the confidentiality of the audit review process.\n\nRecommendation #14. Implement a formal mechanism for tracking\n                 auditor performance so that QAS auditors who use\n                 incorrect interpretations of the QAS can adjust their\n                 performance and also so that the FBI can detect\n                 whether individual QAS auditors require additional\n                 guidance.\n\nFBI Response: The FBI has informally been tracking issues relating to\ninconsistent interpretation of the QAS for the past several years and has\ninformally communicated with the auditors\xe2\x80\x99 employing organization\nconcerning such interpretations. Since the FBI is not the employing\norganization for the auditors, it is left up to these organizations to take\nwhatever corrective measures deemed appropriate by the organizations. As\npart of the tracking mechanism that will be implemented for QAS standards,\nthe FBI will also track issues of inconsistent interpretation by an auditor.\nThe FBI will continue to advise the auditor\xe2\x80\x99s employing organization, as\nnecessary. The FBI will also establish relationships with the regional\nauditing groups so as to keep them informed of any inconsistency in\ninterpretations of the QAS.\n\n\nRecommendation #15. Use these mechanisms to provide specific training\n                 to the DNA community on common findings and\n                 inconsistencies observed, to aid the DNA\n                 community\xe2\x80\x99s compliance, and to further improve\n                 consistency between organizations and QAS auditors.\n\nFBI Response: The FBI will continue to share information with the CODIS\ncommunity concerning the proper interpretation of the FBI Director\xe2\x80\x99s QAS.\nAdditionally, the CODIS Unit will include presentations on such topics during\n\n\n\n                                   - 138 -\n\x0c                                                                 APPENDIX VIII\n\nthe Annual CODIS Conference and will consult with the DNA Analysis Unit I\nconcerning a more formal integration of this information into the FBI\nsponsored QAS auditor training.\n\nRecommendation #16. Broaden the current methodology used by FBI QAS\n                 auditors for NDIS profile verification to permit the\n                 selection of profiles from each laboratory\xe2\x80\x99s total\n                 profiles in NDIS. This revised methodology should\n                 continue once CODIS Unit auditors are on staff.\n\nFBI Response: The external QAS audit currently conducted by qualified\nauditors from the FBI\xe2\x80\x99s DNA Analysis Unit I is governed by the QAS Audit\ndocument. This Audit document is used by the CODIS community to satisfy\nrequirements for participation in the National DNA Index System. The\npurpose of the external QAS audit is to ensure compliance with the FBI\nDirector\xe2\x80\x99s QAS - a requirement in Federal law for participation in NDIS.\n\nThe issue of a profile\xe2\x80\x99s eligibility for the National Index is not a quality issue\nbut, rather, an issue of the integrity of the DNA records uploaded to and\nmaintained at NDIS. The eligibility of DNA profiles, while also governed by\nFederal law, is an issue addressed by NDIS Procedures. As such, the\neligibility of DNA profiles is ultimately determined by the NDIS Custodian.\nThe FBI believes it appropriate to have the review the issue of profile\neligibility separate from the external quality audit of an NDIS participating\nlaboratory. Thus, the FBI proposes that the review of profile eligibility\nremain with the CODIS Unit auditors. The CODIS Unit auditors will conduct\nexternal QAS audits of NDIS Participating Laboratories that will also include\na review of 50-150 DNA profiles per laboratory to ascertain whether DNA\nprofiles uploaded to NDIS were eligible for NDIS. For forensic caseworking\nlaboratories, a total of 50 DNA profiles may be reviewed and for offender\ndatabasing laboratories, a total of 100 DNA profiles may be reviewed.\n\nRecommendation #17. Expand the scope of CODIS Unit auditor duties to\n                 include verification of compliance with NDIS\n                 requirements.\n\nFBI Response: Please refer to the FBI\xe2\x80\x99s response to Recommendation #16\nabove. Additionally, the CODIS Unit auditors, during the external QAS audit\nprocess, will perform a review of the following NDIS Procedure\nrequirements:\n\n            1. Documentation to ensure that every CODIS user has complied\n               with the Annual Reminder of DNA Data Acceptable at NDIS;\n\n\n\n\n                                      - 139 -\n\x0c                                                              APPENDIX VIII\n\n            2. DNA profile eligibility (including review of DNA profiles at\n               NDIS for required loci);\n            3. Confirmation of Interstate Candidate Matches; and\n            4. Outsourced DNA data subject to technical review.\n\nRecommendation #18. Alter the annual user certification documentation\n                 required from laboratories to include information\n                 sufficient to confirm that all CODIS users are\n                 completing the forms as required.\n\nFBI Response: The FBI believes that the use of the annual certification\nforms has increased the CODIS user\xe2\x80\x99s awareness of the DNA profiles eligible\nfor NDIS. To ensure that all CODIS users are completing the forms as\nrequired, the FBI now requires that the annual certification form is submitted\nby all new CODIS users with the other documentation required for Adding a\nCODIS User. Additionally, the CODIS Unit will be proposing changes to the\nNDIS Procedures to require that each CODIS State Administrator provide the\nNDIS Custodian, on an annual basis, with a listing of those CODIS Users in\ntheir State who have completed and signed their Annual Reminder forms on\nDNA Data Accepted at NDIS. The CODIS Unit will then check the CODIS\nusers identified on this annual listing to ensure that all approved CODIS\nusers have completed their annual reminder forms. Please refer to response\nto Recommendation #12.\n\nRecommendation #19. Ensure that QAS auditor training is based upon a\n                 comprehensive written curriculum, including\n                 guidance that reaches beyond the contents of the\n                 audit document.\n\nFBI Response: The FBI\xe2\x80\x99s DNA Analysis Unit I has been providing auditor\ntraining for five years since September 2000 when the QAS Audit document\nwas first introduced. To date, over 1,000 individuals have received the FBI\nsponsored auditor training. The training is given by the Chief of the DNA\nAnalysis Unit I and follows a written curriculum. Each student is provided\nwith a notebook containing the presentation (to assist in documenting the\ncourse, interpreting Standards and note-taking) as well as the FBI Audit\nDocument. At the conclusion of the auditor training, an examination is\nadministered to the participants and a grade of pass/fail is given.\n\nTo ensure the consistent interpretation of the Standards, appropriate\nguidance has been included in the comment and discussion sections of the\nQAS Audit Document and that constitutes the written guidance, in addition\nto the training materials, provided to the participants. Auditors are\n\n\n\n\n                                    - 140 -\n\x0c                                                           APPENDIX VIII\n\nencouraged to contact the DNA Analysis Unit I or the CODIS Unit if they\nhave a question concerning the interpretation of a Standard.\n\nRecommendation #20. Develop web-based training tools for QAS\n                 compliance and auditing information, to aid the\n                 CODIS community\xe2\x80\x99s awareness, understanding, and\n                 consistent interpretation of the QAS.\n\nFBI Response: The FBI is supportive of any mechanism that will facilitate\nthe CODIS community\xe2\x80\x99s awareness, understanding and consistent\ninterpretation of the QAS. The FBI believes that the auditor training is one\nsuch mechanism and efforts to expand that training to the internet could\nfurther encourage consistent interpretation of the QAS. The FBI will explore\nwhat additional resources would be needed for the development of\ncomputer-based training tools for QAS compliance and auditing information.\nMeanwhile, the integration of the CODIS Unit auditors into the external QAS\naudit process and audit reviews are expected to further consistency in\ninterpreting the QAS.\n\nRecommendation #21.    Monitor NDIS Audit Review Panel member\n                 performance to ensure that members are timely, and\n                 implement procedures for taking action in cases\n                 where members are consistently untimely.\n\nFBI Response: The FBI acknowledges the participation of State and local\nforensic DNA scientists in the NDIS audit review process, and without whose\nparticipation, this review process could not have been implemented. The\nFBI does not agree that there is any need to formally monitor the\nperformance of NDIS Audit Review Panel Members to ensure that members\nare timely. The overwhelming majority of NDIS Audit Review Panel\nMembers perform their reviews in a timely and satisfactory manner. While\nthe OIG audit has found one Panel Member who has been consistently late in\nhis/her responses, there are currently over 88 NDIS Audit Review Panel\nMembers. Accordingly, in light of the efforts of the NDIS Audit Review Panel\nmembers who volunteer their time to assist in this endeavor and the lack of\nany trend indicating that Panel members are consistently late in their\nresponses, the FBI does not see any need, at this time, to monitor Panel\nMembers\xe2\x80\x99 performance for timeliness.\n\nRecommendation #22.    Track information currently collected from\n                 NDIS participants to ensure all external QAS audits\n                 reported to the CODIS Unit are also submitted to the\n                 NDIS Audit Review Panel.\n\n\n\n\n                                   - 141 -\n\x0c                                                            APPENDIX VIII\n\nFBI Response: The FBI is supportive of efforts to further improve the audit\nreview process. The CODIS Unit does currently track the audits from receipt\nto completion and closure of the audit. The CODIS Unit will also compare\nthe audit information reported by the State CODIS Administrators in\naccordance with NDIS Procedures with the audit information tracked by the\nUnit in an effort to ensure that all external audits conducted are subject to\nthe NDIS Audit Review process.\n\n\n\n\n                                   - 142 -\n\x0c                                                              APPENDIX IX\n\n  OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND\nSUMMARY OF ACTIONS NECESSARY TO CLOSE THE REPORT\n\n            The FBI response to the draft audit report appears in\nAppendix VIII. In its response, the FBI generally agreed with our\nrecommendations and described the corrective actions it has taken or\nintends to take with regard to the recommendations. However, the FBI\ndisagreed with a few of the recommendations, and these are identified as\n\xe2\x80\x9cunresolved\xe2\x80\x9d in the listing below. The status of the individual\nrecommendations is as follows:\n\n1.   Resolved. This recommendation can be closed when we receive\n     documentation that: (1) the special QAS auditor training classes\n     scheduled for the fall of 2006 have been conducted, and that current\n     CODIS Administrators who have not yet had this training were in\n     attendance; and (2) the NDIS MOU has been revised to reflect a\n     requirement that new administrators receive this training prior to\n     assuming their full CODIS duties.\n\n2.   Resolved. This recommendation can be closed when we receive a\n     description of the changes the FBI has implemented to enhance the\n     information sharing capabilities of the CODIS website.\n\n3.   Resolved. This recommendation can be closed when the FBI provides\n     documentation that it has developed user-friendly resources, on the\n     CODIS website or through other means, for allowing CODIS users to\n     expand and test their understanding of profile allowability.\n\n     Relatedly, we believe the FBI needs to reconsider its firm stance\n     against a decision-tree type tool. While we acknowledge that every\n     factual scenario presents different nuances of detail, there are many\n     scenarios that ultimately can be distilled into a series of questions. In\n     other words, to determine profile allowability, a CODIS user has to\n     answer a series of question for each scenario and these could be\n     captured in a tool similar to a decision tree. For example, questions\n     could be given in a series, as follows: \xe2\x80\x9cDoes this profile, in whole or\n     part, match the victim\xe2\x80\x99s profile? If yes, then is there a suspect or\n     other known profile available to compare to, that enables deduction of\n     the victim\xe2\x80\x99s portion? If yes, then the victim\xe2\x80\x99s portion should not be\n     uploaded to NDIS.\xe2\x80\x9d Such a tool would not address every situation, but\n     it would help users reason through the major factors that they should\n     consider to determine allowability. The OIG continues to find\n     unallowable forensic profiles in its CODIS laboratory audits, even in\n\n\n\n                                   - 143 -\n\x0c                                                              APPENDIX IX\n\n      laboratories with experienced CODIS users. We believe that even\n      rudimentary tools that are easy to use and understand would be an\n      assistance to CODIS users as they develop their own understanding of\n      allowability.\n\n4.    Resolved. This recommendation can be closed when we receive a\n      copy of the formal request that has been sent to the SWGDAM\n      Chairman regarding the material operational weaknesses identified\n      during our audit by CODIS Administrators. The FBI did not provide the\n      draft correspondence to SWGDAM noted in its response.\n\n5.    Resolved. This recommendation can be closed when we receive\n      documentation that a listing of appropriate contacts for QAS audit\n      resolution in each CODIS laboratory has been developed, and that\n      guidance has been provided to those contacts on how they can ensure\n      that their submissions to the NDIS Audit Review Panel are complete\n      and appropriate to facilitate resolution.\n\n6.    Resolved. This recommendation can be closed when we receive a\n      written policy or procedure formalizing the process described in the\n      FBI\xe2\x80\x99s response, and documentation of its implementation. The FBI did\n      not provide the draft copy of a request log noted in its response.\n\n7.    Resolved. This recommendation can be closed when we receive the\n      written policy or procedure that formally describes how the CODIS Unit\n      ensures that it provides written guidance to the CODIS community to\n      the fullest extent possible.\n\n8.    Resolved. This recommendation can be closed when we receive a\n      written plan that identifies where delays and hindrances have occurred\n      in filling long-standing vacant CODIS Unit positions, and specific\n      actions being taken to address those delays and hindrances to\n      facilitate full staffing levels. This plan can include such actions as\n      pursuing other avenues of advertising the positions, as described in\n      the FBI response.\n\n9.    Resolved. This recommendation can be closed when we receive\n      documentation that each CODIS Unit position\xe2\x80\x99s duties, responsibilities,\n      and routine activities have been memorialized into a form of training\n      manual for that position.\n\n10.   Resolved. This recommendation can be closed when we receive\n      documentation of the formalization of the three activities we describe\n      into performance measurements for the CODIS Unit.\n\n\n\n                                   - 144 -\n\x0c                                                                APPENDIX IX\n\n11.   Resolved. This recommendation can be closed when we receive\n      documentation of the completion of the development contract as well\n      as a description of how that contract provides for continued flexibility\n      to legislative changes to CODIS operations.\n\n12.   Unresolved. The FBI disagrees with the strength of the OIG\xe2\x80\x99s\n      evidence to support this recommendation, as well as what it views as a\n      generalization that the certification forms have not fully accomplished\n      their purpose of ensuring compliance. Yet, the OIG\xe2\x80\x99s evidence shows\n      that one-third of the audits we conducted over a 2-year period (6 of\n      18) found that the laboratories had not completed the forms as\n      required. Further, roughly two-thirds of the audits we conducted in\n      that 2-year period (11 of 18) revealed forensic profiles that were not\n      acceptable, based upon FBI-established criteria.\n\n      To support its argument, the FBI draws a comparison between our\n      results in our 2001 audit and current audit trends. FBI management\n      states that we found 40 instances of inappropriate DNA profiles\n      uploaded to NDIS by 5 out of the 8 laboratories audited. This\n      comparison is false in that it compares the number of profiles\n      identified, from our previous report, to the number of laboratories at\n      which those profiles were found, as we quote in our current report. To\n      be consistent, the comparison should state that our 2001 report\n      identified forensic profiles that were not acceptable at 6 of the 8\n      laboratories we audited. Consequently, a reduction from a 75 percent\n      incident rate (6 of 8) in our 2001 audit report to a 61 percent incident\n      rate (11 of 18) in FY\xe2\x80\x99s 2004 to 2005 audit reports is not sufficient to\n      support a claim that the annual reminder forms have accomplished\n      their intended purpose.\n\n      Further, the FBI argues that other measures are being taken as part of\n      the internal controls over the appropriateness of data uploaded to\n      NDIS. Such an argument actually supports our recommendation,\n      since our recommendation encourages the FBI to take other measures.\n      This is particularly true in light of the fact that one of the key\n      measures the FBI mentions, the addition of special instruction to each\n      CODIS training class, has been implemented since our audit work\n      concluded. Consequently, we conclude that the FBI\xe2\x80\x99s support for\n      disagreement with our recommendation is not sufficient to set aside\n      the legitimate evidence supporting our recommendation.\n\n13.   Resolved. This recommendation can be closed when we receive:\n      (1) documentation that a formalized tracking system has been\n      implemented to identify common and overturned findings from the\n\n\n\n                                    - 145 -\n\x0c                                                                APPENDIX IX\n\n      audits reviewed by the NDIS Audit Review Panel, and (2) a policy for\n      how that information will be used to enhance community consistency\n      and compliance.\n\n14.   Resolved. This recommendation can be closed when we receive:\n      (1) documentation that a formalized tracking system has been\n      implemented to identify auditors who use inconsistent interpretations\n      of the QAS, and (2) a policy for what action should be taken when\n      such auditors are identified.\n\n15.   Resolved. This recommendation can be closed when we receive\n      documentation that a mechanism has been developed to\n      systematically communicate the information gathered in response to\n      recommendation nos. 13 and 14 to training providers in the DNA\n      community, including the FBI\xe2\x80\x99s own QAS audit trainers.\n\n16.   Resolved. This recommendation can be closed when we receive a\n      copy of the formal policy for the conducting of profile allowability\n      reviews on behalf of the CODIS Unit that reflects: (1) the expanded\n      size of the reviews described in the FBI\xe2\x80\x99s response; and (2) the\n      objective and independent methods that will be used to ensure that\n      those profiles are selected from among all of a laboratory\xe2\x80\x99s profiles at\n      NDIS.\n\n      Relatedly, we want to address what appears to be a misunderstanding\n      by the FBI regarding the nature of our recommendation. The FBI\n      appears to have read our recommendation as advising the FBI to use\n      QAS auditors to perform profile allowability reviews. In actuality, the\n      OIG\xe2\x80\x99s recommendation, that flows directly from the support in the\n      report, only acknowledges that the FBI has already been using QAS\n      auditors to perform profile allowability reviews. The recommendation\n      communicates that even now, while the FBI is handling the profile\n      allowability reviews in this way, changes need to be made to the\n      methodology. In our report, as well as in our recommendation, we\n      acknowledge the FBI\xe2\x80\x99s stated intention to have the profile allowability\n      reviews conducted by the CODIS Unit auditors. However, at the time\n      of our audit, no such auditors had reported to duty in the Unit.\n      Consequently, our recommendation advises the FBI to implement this\n      change in methodology immediately, rather than at some point in the\n      future when the CODIS Unit auditors are on staff.\n\n17.   Resolved. This recommendation can be closed when we receive a\n      copy of the formal policy or procedure that describes the scope of the\n      CODIS Unit auditor\xe2\x80\x99s reviews, demonstrating that those reviews will\n\n\n\n                                    - 146 -\n\x0c                                                               APPENDIX IX\n\n      include an analysis of compliance with NDIS requirements, as\n      described in the FBI\xe2\x80\x99s response.\n\n18.   Resolved. This recommendation can be closed when we receive\n      documentation that the changes to the NDIS procedures proposed in\n      the FBI\xe2\x80\x99s response have been implemented, to annually confirm that\n      all approved CODIS users have completed their annual user\n      certification forms.\n\n19.   Unresolved. The FBI\xe2\x80\x99s response does not address how it plans to\n      ensure that all guidance given at auditor training courses, including\n      verbal guidance given extemporaneously in discussion sessions as\n      specifically mentioned in our report, is documented in writing for\n      future reference to ensure consistency and to disseminate within the\n      community. Instead, the FBI asserts that the training is already based\n      on a written curriculum. As our report analysis discloses, we agree\n      that a written curriculum exists, but do not believe that it\n      comprehensively documents verbal guidance given supplemental to\n      the audit document in training courses.\n\n20.   Resolved. This recommendation can be closed when we receive\n      documentation of the implementation of web-based tools to aid the\n      CODIS community\xe2\x80\x99s awareness, understanding and consistent\n      interpretation of the QAS.\n\n21.   Unresolved. The FBI disagrees with this recommendation on the\n      basis that the OIG did not provide compelling evidence to support it, in\n      the form of a trend analysis of how many panel members were\n      untimely. Such a trend analysis was not within the scope of the OIG\xe2\x80\x99s\n      work on this audit, but through the course of other work performed,\n      we noted one glaring incident of a panel member being consistently\n      late on audits they reviewed. The FBI argues that since we cite only\n      1 out of the approximately 88 panel members, our evidence is\n      insufficient. However, the FBI ignores our data analysis of overall\n      panel timeliness that revealed, on average, panel members are taking\n      almost twice as long as permitted to complete their reviews (54 days\n      rather than 30). How many members are implicated by this average\n      was not our concern, but rather the fact that panel member timeliness\n      impacts the overall timeliness of the panel process. Consequently, our\n      audit evidence is sufficient to warrant this recommendation.\n\n22.   Resolved. This recommendation can be closed when we receive\n      documentation that the CODIS Unit has implemented a procedure to\n      begin comparing the audit information reported annually by the SDIS\n\n\n\n                                   - 147 -\n\x0c                                                       APPENDIX IX\n\nAdministrators to the audits received by the NDIS Audit Review Panel,\nto ensure all appropriate audits have been submitted to that Panel.\n\n\n\n\n                            - 148 -\n\x0c'